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Abstract — This paper presents a non-blocking Patricia 
trie implementation for an asynchronous shared-memory 
system using Compare&Swap. The trie implements a lin- 
earizable set and supports three update operations: insert 
adds an element, delete removes an element and replace 
replaces one element by another. The replace operation is 
interesting because it changes two different locations of 
tree atomically. If all update operations modify different 
parts of the trie, they run completely concurrently. The 
implementation also supports a wait-free find operation, 
which only reads shared memory and never changes the 
data structure. Empirically, we compare our algorithms to 
some existing set implementations. 

I. Introduction 

A Patricia trie [22,1 is a tree that stores a set of keys, 
which are represented as strings. The trie is structured 
so that the path from the root to a key is determined by 
the sequence of characters in the key. So, the length of 
this path is at most the length of the key (and will often 
be shorter). Thus, if key strings are short, the height of 
the trie remains small without requiring any complicated 
balancing. The simplicity of the data structure makes it a 
good candidate for concurrent implementations. Patricia 
tries are widely used in practice. They have applica- 
tions in routing systems, data mining, machine learning, 
bioinformatics, etc. H, E), Il6\, ED, ES- Allowing 
concurrent access is essential in some applications and 
can boost efficiency in multicore systems. 

We present a new concurrent implementation of Pa- 
tricia tries for binary strings using single-word Com- 
pare&Swap (CAS). The operations on the trie are lin- 
earizable, meaning they appear to take place atomically 
fl9L They are also non-blocking (lock-free); some pro- 
cess completes its operation in a finite number of steps 
even if other processes fail. Wait-free algorithms satisfy 
the stronger guarantee that every process completes its 
operation in a finite number of steps. 

Our implementation supports wait-free find operations 
and provides non-blocking insertions and deletions. We 
also provide a non-blocking replace operation that makes 
two changes to the trie atomically: it deletes one key and 
inserts another. If all update operations are occurring at 
disjoint parts of the trie, they do not interfere with one 
another. 



A Patricia trie can be used to store a set of points 
in M'^. For example, a point in whose coordinates 
are {x, y) can be represented as key formed by in- 
terleaving the bits of x and y. (This yields a data 
structure very similar to a quadtree.) Then, the replace 
operation can be used to move a point from one location 
to another atomically. This operation has applications 
in Geographic Information System [IS]. The replace 
operation would also be useful if the Patricia trie were 
adapted to implement a priority queue, so that one can 
change the priority of an element in the queue. 

Search trees are another class of data structures that 
are commonly used to represent sets. When keys are 
not uniformly distributed, balanced search trees generally 
outperform unbalanced ones. The reverse is often true 
when keys are uniformly distributed due to the simplicity 
of unbalanced search trees. Our empirical results show 
that the performance of our trie is consistently good in 
both scenarios. This is because our trie implementation 
is as simple as an unbalanced search tree but also keeps 
trees short. For simplicity, we rely on a garbage collector 
(such as the one provided in Java implementations) that 
deallocates objects when they are no longer accessible. 

For our Patricia trie algorithms, we extend the scheme 
used in ifTTl for binary search trees to coordinate pro- 
cesses. Thus, we show that the scheme is more widely 
applicable. In particular, we extend the scheme so that it 
can handle update operations that make more than one 
change to the tree structure. Updates to the same part of 
the tree help one another to guarantee the non-blocking 
property. An update first creates a descriptor object that 
contains enough information about the update, so that 
other processes can complete the update by reading the 
descriptor object. As in ifTTl . before an update changes 
the tree, it flags a small number of nodes to avoid 
interference with other concurrent updates. (A node is 
flagged if it has a pointer to a descriptor object, otherwise 
it is unflagged.) When the update is complete, the flags 
are removed from nodes that are still in the tree. Searches 
do not need to check for flags and can therefore traverse 
the trie very efficiently simply by reading child pointers. 
Searches in our Patricia trie are wait-free, unlike the 
searches in ifTTIl because the length of a search path in 
a Patricia trie is bounded by the length of the key. 



There are several novel features of this work. In our 
implementation, we design one fairly simple routine 
that is called to perform the real work of all update 
operations. In contrast, insert and delete operations in 
on are handled by totally separate routines. This makes 
our proof of correctness more modular than the proof 
of ifTTl . Our techniques and correctness proof can be 
generalized to other tree-based data structures. 

In [ 1 1 1, modifications were only made at the bottom of 
the search tree. Our new Patricia trie implementation also 
copes with modifications that can occur anywhere in the 
trie. This requires proving that changes in the middle of 
the trie do not cause concurrent search operations pass- 
ing through the modified nodes to go down the wrong 
branch. Howley and Jones EOl introduced changes in 
the middle of a search tree but only to keys stored in 
internal nodes, not the structure of the tree itself 

In 1 1 1 1, atomic changes had to be done by changing a 
single pointer. Our replace operation makes two changes 
to the trie atomically. Both changes become visible at the 
first CAS operation on a child pointer This new scheme 
can be generalized to make several changes to the trie 
atomically by making all changes visible at a single 
linearization point. Cederman and Tsigas [9J proposed 
a non-blocking replace operation for a tree-based data 
structure, but they require double-CAS (that modifies 
two non-adjacent locations conditionally). 

To summarize: 

• We present a non-blocking linearizable Patricia trie. 

• We employ one routine to implement the real work 
of any update operation. 

• We present a non-blocking update operation that 
requires changes to two child pointers using single- 
word CAS. 

• We provide a modular correctness proof that can be 
adapted for other data structures. We give a sketch 
of the correctness proof here. A more detailed proof 
is provided in Appendix. 

• We compare our implementation empirically to 
other existing concurrent data structures. 

The remainder of the paper is organized as follows. 
In Section |Il] we present related work. We describe the 
structure of the algorithms and how the operations are 
implemented in detail in Section III Section [IVjprovides 
a sketch of the correctness proof. In Section [V] we 
compare our trie to other algorithms empirically. Some 



concluding remarks are given in Section VI 



II. Related Work 

Most concurrent data structures are lock-based. How- 
ever, lock-based implementations have drawbacks such 



as priority inversion, deadlock and convoying. Two state 
of the art examples of lock-based implementations of set 
data structures are the AVL tree by Bronson et al. |6|, 
which maintains an approximately balanced tree, and the 
self-adjusting binary search tree by Afek et al. (T\, which 
moves frequently accessed nodes closer to the root. Aref 
and Ilyas Q described how lock-based implementations 
could be designed for a class of space-partitioning trees 
that includes Patricia tries. Lock-coupling can also be 
applied to implement a concurrent Patricia trie ESl . 

In this paper, we focus on non-blocking algorithms, 
which do not use locks. There are two general techniques 
for obtaining non-blocking data structures: universal 
constructions (see the related work section of flOl for a 
recent survey of work on this) and transactional memory 
ESl (see ifTTl for a survey). Such general techniques are 
usually not as efficient as algorithms that are designed 
for specific data structures. 

Tsay and Li lIZTl gave a general wait-free construction 
for tree-based data structures. To access a node, a process 
makes a local copy of the path from the root to the node, 
performs computations on the local copy, and then atom- 
ically replaces the entire path by its local copy. Since this 
approach copies many nodes and causes high contention 
at the root, their approach is not very efficient. Barnes 
f3] presented another general technique to obtain non- 
blocking implementations of data structures in which 
processes cooperate to complete operations. 

Ellen et al. [iT] presented the first non-blocking 
binary search tree data structure from CAS operations. 
Their approach has some similarity to the cooperative 
technique of f3l. As discussed in Section [l] our Patricia 
trie implementation extends the approach used in 111]. 
Brown and Helga |8i generalized the binary search trees 
of liin to non-blocking fc-ary search trees and compared 
the non-blocking search trees with the lock-based search 
tree of Bronson et al. |6| empirically on a multicore 
system. 

Howley and Jones ||20l presented a non-blocking 
search tree from CAS operations using a cooperative 
technique similar to til j . Their tree store keys in both 
leaf and internal nodes. However, search operations 
sometimes help update operations by performing CASs. 

Braginsky and Petrank proposed a non-blocking bal- 
anced B-Htree from CAS operations ID . The implementa- 
tion uses the marking technique of ifTSl and the flagging 
technique of fTT\. 

Earlier this year, Prokopec et al. Il24ll described a non- 
blocking hash trie that uses CAS operations. Their ap- 
proach is very different from our implementation. Unlike 
Patricia tries, in their trie implementation, an internal 
node might have single child. In their implementation. 
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Fig. 1. An example of a Patricia trie. (Leaves are represented by 
squares and internal nodes are represented by circles.) 

nodes have up to 2*' children (where fc is a parameter) 
and extra intermediate nodes are inserted between the 
actual nodes of the trie. With k = 5, the height of 
their trie is very small, making their implementation very 
fast when contention is low. However, our experiments 
suggest that it is not very scalable under high contention. 
Unlike our implementation, their search operation may 
perform CAS steps. 

Non-blocking implementations of set data structures 
have also been proposed based on skip lists using CAS 
operations fTT], |13|, [^61. A non-blocking skip list 
(ConcurrentSkipListMap) was then implemented in the 
Java class library by Doug Lea. 

III. Algorithm Description 

We assume an asynchronous shared-memory system 
with single-word CAS operations. We first give the 
sequential specification of the operations. The trie stores 
a set D of keys from a finite universe U. If v ^ D, 
insert(t;) changes D to DU {v} and returns true; other- 
wise, it returns false. If v £ D, delete(i;) changes D to 
D — {v} and returns true; otherwise, it returns false. 
If V G D and v' ^ D, replace(v, w') changes D to 
D—{v}U{v'} and returns true; otherwise, it returns false. 
If V £ D, find(u) returns true; otherwise, it returns false. 
In either case, find(u) does not change D. We assume 
elements of D can be encoded as ^-bit binary strings. 
(In Section |VI| we describe how to handle unbounded 
length keys.) 

A. Data Structures 

First, we describe the structure of a binary Patricia 
trie. (See Figure [T]) Each internal node has exactly two 
children. The elements of D are stored in the leaves of 
the trie. Each internal node stores a binary string that is 
the longest common prefix of its children. If a node's 
label has length fc — 1, then the fcth bit of the node's left 
and right child is and 1, respectively. The root stores 
the empty string. The height of the trie is at most £. 

Next, we describe the objects that are used in the im- 
plementation (Figure |2]i. The Patricia trie is represented 
using Leaf and Internal objects which are subtypes of 
Node objects. A Node object has a label field repre- 
senting its binary string, which is never changed after 



initialization. An Internal object has an array of Node 
objects of size two, denoted child, that stores pointers 
to the children of the node. 

Each Node object also has an info field that stores 
a pointer to an Info object that represents an update 
operation that is in progress at the node. The Info object 
contains enough information to allow other processes to 
help the update to complete. The Info object has two 
subtypes: Flag and Unflag. An Unflag object is used to 
indicate that no update is in progress at a node. Unflag 
objects are used instead of null pointers to avoid the 
ABA problem in the info field of a node. Initially, the 
info field of each Node object is an Unflag object. We 
say that a node is flagged or unflagged, depending on 
whether its info field stores a Flag or Unflag object. The 
info and child field of an internal node are changed using 
CAS steps. However, a leaf node gets flagged by writing 
a Flag object into its info field. 

To perform an update operation, first some internal 
nodes get flagged, then some child fields are changed 
and then nodes that are still in the trie get unflagged. 
The nodes that must be flagged to perform an update 
operation are the internal nodes whose child field will be 
changed by the update or that will be removed from the 
trie by the update. Flagging nodes is similar to locking 
nodes: it avoids having other operations change the part 
of the trie that would be changed by the update. 

A Flag object has a number of fields. The flag field 
stores nodes to be flagged and the unflag field stores 
nodes to be unflagged. Before creating a Flag object, 
an update reads the info field of each node that will 
be affected by the update before reading that node's 
child field. This value of the info field is stored in the 
Flag's oldlnfo field, and is used for the CAS that flags 
the node. This ensures that if the node is successfully 
flagged, it has not changed since its children were read. 
Moreover, once it is flagged, its children will not be 
changed by any other update operation. The boolean 
flagDone field indicates whether the flagging for the 
update has been completed. In the case of a replace 
operation, the rmvLeaf field points to the leaf to be 
removed by the update after flagging is complete. The 
actual changes to the trie to be made are described 
in three more array fields of the Flag object: pNode, 
oldChild and newChild. For each i, the update should 
CAS the appropriate child pointer of pNode[i] from 
oldChild[i] to newChild[i]. If all nodes are successfully 
flagged, then the CAS on each child pointer will be 
guaranteed to succeed because that pointer cannot have 
changed since the old value was read from it. Thus, 
like locks, the info field of a node is used to give an 
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1) Leaf: (subtype of Node) 

2) label e U 

3) info : Info 

4) Internal: (subtype of Node) 

5) label e U 

6) child : Node[2] 

7) info : Info 

8) Flag: (subtype of Info) 

9) flag : Intemal[4] 

10) oldlnfo : Info[4] 

11) unflag : Internal[2] 

12) pNode : Intemal[2] 

13) oldChild : Node[2] 

14) newChild : Node[2] 

15) rmvLeaf : Leaf 

16) flagDone : Boolean 

17) Unflag: (subtype of Info) 



The help(J) routine carries out the real work of an 
update using the information stored in the Flag object /. 



t> left and right child 



> has no field 



1 8) Initialization: 

19) root •<— new Internal(£, [new Leaf(000....0, new unflag), 

new Leaf(lll...l, new unflag)], new Unflag) 
Fig. 2. Data types used in the implementation 

operation exclusive permission to change the child field 
of that node. 

For simplicity, the root node of the trie is initially set 
to an Internal object whose children are two leaf nodes 
whose labels are the strings 0^ and 1^. We assume the 
keys 0^ and 1^ cannot be elements of D. This ensures 
that the trie always has at least two leaf nodes and the 
root node never needs to be replaced. (This avoids some 
special cases that would occur when the root is a leaf.) 

B. Update Operations 

The implementation has three update operations: in- 
sert, delete and replace. All three have the same overall 
structure. The pseudo-code for our implementation is 
given on page 5. An update op uses the search routine 
to find the location(s) in the trie to be changed. It then 
creates a new Flag object / containing all the information 
required to complete the update by calling newFlag. If 
newFlag sees that some node that must be flagged is 
already flagged with a different Flag I', it calls help(/') 



at line 110 to try completing the update described by /', 
and then op retries its update from scratch. Otherwise, 
op calls help(/) to try to complete its own update. 

As mentioned earlier, flagging nodes ensures exclusive 
access for changing child pointers. Thus, an update flags 
the nodes whose child pointers it wishes to change and 
permanently flags any node that is removed from the trie 
to avoid applying updates to a deleted portion of the trie 

Unlike locks, the Info objects store enough informa- 
tion, so that if an operation dies while nodes are flagged 
for it, other processes can complete the operation and 
remove the flags. This ensures that a failed operation 
cannot prevent others from progressing. To avoid dead- 
lock, if an update must flag more than one internal node, 
we order the internal nodes by their labels. 



It first uses flag CAS steps to flag some nodes (line 90 1 
by setting their info fields to /. If all nodes are flagged 
successfully, help(/) uses child CAS steps to change the 
child fields of some internal nodes to perform the update 



(line 98 1. Then, it uses unflag CAS steps to unflag nodes 
that were flagged earlier, except the ones that have been 



removed from the trie (line 101 1 by setting their info 
fields to a new Unflag object. In this case, any nodes 
deleted by the update remain flagged forever. If any node 
is not flagged successfully, the attempt to perform the 
update has failed and backtrack CAS steps are used to 



unflag any nodes that were flagged earlier (line 105 i. 

If any child CAS step is executed inside help(/), the 
update is successful and it is linearized at the first such 
child CAS. If a replace operation performs two different 
child CAS steps, it first executes a child CAS to insert 
the new key, and then a child CAS to delete the old key. 
In this case, the replace also flags the leaf node of the 
old key before the first child CAS step. We say the leaf 
is logically removed from the trie at the first child CAS 
step and any operation that reaches the leaf node after 
this determines that the key is already removed. We say a 
node is reachable at time T if there is path from the root 
to the node at T. We say a leaf node is logically in the 
trie at time T if the node is reachable and not logically 
removed at T. We shall prove that the following invariant 
holds: The leaf nodes that are logically in the trie at time 
T contain exactly those keys in the set D, according to 
the sequence of updates that are Unearized before T. 

Whenever a child pointer is changed, the old child is 
permanently flagged and it is removed from the trie to 
avoid the ABA problem. (In some cases, this requires 
the update to add a new copy of the old child to the 
trie.) When a call to help(/) performs a child CAS on 
I.pNode[i] (for some i), it uses I.oldChild[i] as the old 
value. Since there is no ABA problem, only the first such 
CAS on I.pNode[i] can succeed. Moreover, we prove 
that the flagging mechanism ensures that this first CAS 
does succeed. Since processes might call help(/) to help 
each other to complete their operations, there might be a 
group of child CASs on each node. However, the child 
pointer is changed exactly once for the operation. 

C. Detailed Description of Algorithms 

A search(w) is used by updates and find to locate key 
V within the trie. The search(t;) starts from the root node 
and traverses down the trie. At each step of the traversal, 
search(u) chooses the child according to the appropriate 
bit of V (line [82| . The search(i;) stops if it reaches an 
internal node whose label is not a prefix of v. We show 
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20) insert(i; G U) 

21) while(true) 

22) / ^ null 

23) {—,p,node,—,pInfo,rmvd) <— search(ti) 

24) if keyInTrie(nocZe, v, rmvd) then return false 

25) nodelnfo = node.info 

26) nodeCopy <— new copy of node 

27) newNode ^ createNode(cop2/, new Leaf containing v, 

nodelnfo) 

28) if newNode null then 

29) if node is Internal then 

30) / <— newFlag([p, »,o(i(-], [pinfo, nodelnfo], [p], 

[p], [node], [ne'iuAfoofe], null) 

31) else I <— newFlag([p], [p/n/o], [p], [p], 

[node], [netuiVode], null) 

32) if 7 ^ nuU and help(7) then return true 

33) delete(t) e U) 

34) while(trae) 

35) / ^ null 

36) (gp, p, node, gplnfo, pInfo, rmvd) ^ search(D) 

37) if keyInTrie(noa!e, v, rmvd) then return false 

38) nodeSibling <— p.child[l — (\p.label\ + l)th bit of v] 

39) if gp ^ null then 

40) / ^ newFlag([gp,p], [gpInfo,pInfo], [gp], [gp], [p], 

[nodeSibling], null) 

41) if / 7^ null and help(/) then return true 

42) replace(^;d &U,Vi e U) 

43) while(true) 

44) 7 null 

45) {gpd,Pd,noded,gpInfoa,pInfoa,rmvdd) ^ search('yd) 

46) if keyInTrie(noc!ed, Vd, rmvdj) then return false 

47) {—,pi,nodei,—,pInfoi,—,rmvdi) search(i;j) 

48) if keyInTrie(nodei, Vi, rmvdi) then return false 

49) nodelnfoi = nodei.info 

50) nodeSiblingd <— Pd-child[l — {\pii.label\ + l)th bit of Vd] 

51) if gpd ^ null and nodci ^ { noded,Pd,9Pd } 

and Pi ^ pd then 

52) copy, new copy of nodet 

53) newNodei createNode(cop2/i, new Leaf containing 

Vi, nodelnfoi) 

54) if newNodei ^ null and nodei is Internal then 

55) I <- newFlag([gpd,pd, Pi, nodei], [gplnfo^, 

pInfod,pInfoi, nodelnfoi], [gpd,Pi], [Pi, 
gPd], [nodei, Pd], [newNodei, nodeSiblingd], 
noded) 

56) else if newNodei ^ null and node, is Leaf then 

57) / •(- newFlag([gpd,pd,Pi], [gpInfod,pInfod, 

pinfoi], [gpd. Pi], [pi, gPd], [nodei, Pd], 
[newNodei, nodeSiblingd], noded) 

58) else if node, = noded then 

59) / <r- newFlag([pd], \pInfod], [Pd], [Pd], [nodei], 

[new Leaf containing Vi], null) 

60) else if (nodei = Pd snd pi = gpd) or 

61) (gPd null and pi = pd) then 

62) newNodei createNodeCnodeSift/ingd, new Leaf 

containing Vi, nodeSiblingd-inf d) 

63) if newNodei ^ null then 

64) / •(- newFlag([gpd,pd]. l9pInfod,pInfod], [gPd], 

[sPd]. bd]' [netuATodej], null) 

65) else if node, = ppd then 

66) pSiblingd <— gpd-child[l — {\gpd-label\ + l)th bit of Vd] 

67) newChildi createNode(nodeSi6Hngd, pSiblingd, -) 

68) if newChildi ^ null then 

69) newNodei createNode(ne?uC/iiidi, new Leaf 

containing -) 

70) if newNodei ^ null then / newFlag( [pi, gpd, 

Pd], [pInfoi, gpInfod,pInfod], [pi], [pi], 
[nodei], [newNodei], null) 

71) a I ^ null and help(/) then return true 



72- 
73- 
74 
75; 

76; 

77; 

78 
79 
80 
81 
82 
83 
84 
85 

86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97; 

98; 

99 
100 
101 
102 
103 
104 
105 
106; 

107; 

108 
109 
110 
111 
112 
113 
114 

115 
116 



117 

118; 

119 
120 
121 

122 
123 
124; 

125 
126 



flnd(i; e U) 
( -, -, node, -, -, rmvd) <— search(v) 
if keylnMeCnode, v, rmvd) then return true 
else return false 

search(D e U) 

(p.plnfo) ■;— ( null, null) 
node -q— root 

while (node is Internal and node.label is pretix of v) 

{gp, gplnfo) ^ {p,pInfo) 

{p,pInfo) ■;— {node, node.info) 

node <— p.child[{\p.label\ + l)th bit of v] 
if node is Leaf then f> if Leaf is replaced 

rmvd <— logicallyRemoved(node. in/o) 
return (gp, p, node, gplnfo, pInfo, rmvd) 

help(7: Hag) 
i -f- 

doChildCAS •(- true 

while (i < \I.flag\ and doChildCAS) 

CAS(I.flag[{].info, I.oldInfo[i], I) > flag CAS 

doChildCAS {I.flag[i].info = I) 

i i + 1 
if doChildCAS then 

I.flagDone <r- true 

if I.rmvLeaf ^ null then I.rmvLeaf.info •<— / 
for i = to {\I.pNode\ - 1) 

k {\I.pNode[i\.label\ + l)th bit of 

I .newChild{i].label 
CKS(I.pNode[i].child[k], I.oldChild[i], 

I.newChildli]) > child CAS 

if I.flagDone then 

for i = {\I.unflag\ — 1) down to 

CAS(/.un/(ag[i].m/o, I, new Unflag) t> unflag CAS 
return true 
else 

for i = {\I.flag\ — 1) down to 

CAS(/./iag[i].m/o, I, new Unflag) I> backtrack CAS 
return false 

newFlag(/iag, oldlnfo, unflag, pNode, oldChild, 

newChild, rmvLeaf) 
for i = to (|o«d/n/o| - 1), 
if oldInfo[i] is Flag then 

help(o/d/n/o[i]) 

return null 

if flag has dupUcates with different values in oldlnfo then 
return null 

else remove duplicates in flag and unflag (and 

corresponding entries of oldlnfo) 
sort elements of flag and permute elements of oldlnfo 
return new lnfo(flag, oldlnfo, unflag, pNode, oldChild, 

newChild, rmvLeaf, false) 

createNode(nodei : Node, node2: Node, info: Info) 
if nodei.label is prefix of node2.label or 
node2.label is prefix of nodei.label then 
if info is Flag then help(iri/o) 
return null 

else return new Internal whose children are nodei and node^ 

logicalIyRemoved(/: Info) 
if / is Unflag then return false 
return (I.oldChild[0] not in I .pNode[0].child) 



keyInTrie(node: Node, v G U, rmvd: 
return (node is Leaf and node.label - 



Boolean) 

= V and rmvd = false) 



Fig. 4. The find operation and additional subroutines 



Fig. 3. Update operations 
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that any node visited by the search was reachable at some 
time during the search. If the search(ti) does not return 
a leaf containing v, there was a time during the search 
when no leaf containing v was reachable. Moreover, the 
node that is returned is the location where an insert 
would have to put v. If search(w) reaches a leaf node and 
the leaf node is logically removed by a replace operation, 
search(t;) sets rmvd to true (line [84| . 

As we shall see, update operations must change the 
child pointers of the parent or grandparent of the node 
returned by search. The search operation returns gp, p 
and node, the last three nodes reached (where p stands 
for parent and gp stands for grandparent). A search 
also returns the values gplnfo and pinfo that it read 
from the info fields of gp and p before reading their 
c/iiW pointers. More formally, if search(w) returns {gp, p, 
node, gplnfo, pInfo, rmvd), it satisfies the following 
post-conditions. (1) At some time during search(u), 
gp.info was gplnfo (if gp is not null). (2) Then, at 
some later time during search(u), p was a child of gp 
(if gp is not null). (3) Then, at some later time during 
search(w), p.info was pInfo. (4) Then, at some later 
time during search(i;), p.child[i] was node for some i. 
(5) (p.label) • i is a prefix of v. (6) If node is an internal 
node, node.label is not a prefix of v. (7) If rmvd is true, 
node is logically removed at some time during search(u). 
(8) If rmvd is false, node is logically in the trie at some 
time during search(i;). 

After calling search, an update uses the newFlag 
routine to create a Flag object. For each node that the 
update must flag, a value read from the info field during 
search of the node is passed to newFlag as the old value 
to be used in the flag CAS step. The old value for a flag 
CAS was read before the old value for the corresponding 
child CAS, so if the flag CAS succeeds, then the node's 
child field has not been changed since the last time its 
old value was read. The newFlag routine checks if all 



old values for info fields are Unflag objects (line 109 1. 
If some info field is not an Unflag object, then there is 
some other incomplete update operating on that node. 
The newFlag routine tries to complete the incomplete 



update (line 110 1, and then returns null, which causes the 



update to restart. In some cases of the replace operation 
that change the trie in two steps, gp returned by the first 
search might be equal to p returned by the second search. 
So, the operation might send duplicate elements to get 
flagged to the newFlag routine. If the duplicate elements 
do not have the same old values, their child fields might 
have changed since the operation read them, so newFlag 
returns null and the operation starts over (line |112||113| l. 
Otherwise, only one copy of each duplicate element is 





node 

insert(v) - Case 1 insert(v) - Case 2 delete(v) 

Fig. 5. Different cases of insert(ti) and delete(?j). (Triangles are eitlier 
a leaf node or a subtree. The dotted lines are the new child pointers 
that replace the old child pointers (solid lines) and the dotted circles 
are newly created nodes.) 



kept (line 114 1. The newFlag routine sorts the nodes to 
be flagged (to avoid deadlocks) and returns the new Flag 
object (line [TT5pT6| . 

After an update u creates a Flag object /, it calls 
help(/). This routine attempts to complete the update. 
First, it uses CAS steps to put the Flag object / in the 
info field of the nodes to be flagged (line [90| . If all 
nodes are flagged successfully, the flagDone field of 
the Flag object is set to true (line [94) l. The value of the 
flagDone field is used to coordinate processes that help 
the update. Suppose a process p is executing help(/). 
After p performs a flag CAS on a node x, if it sees a 
value different from / in the a;'s info field, there are two 
possible cases. The first case is when all nodes were 
already successfully flagged for / by other processes 
running help(/), and then x was unflagged before p 
tries to flag x. (Prior to this unflagging, some process 
performed the child CAS steps of / successfully.) The 
second case is when no process flags x successfully for 
/. Since the flagDone field of / is only set to true after 
all nodes are flagged successfully, p checks the value of 
the flagDone field to determine which case happened. 
If flagDone is true, the modifications to the trie for 
update u have been made. If flagDone is false, the 
update operation cannot be successfully completed, so 
all internal nodes that got flagged earlier are unflagged 
by the back-tracking CAS steps at line 104|106 and the 
update u will have to start over. 

After flagging all nodes successfully and setting 
I. flagDone, if I.rmvLeaf is a leaf, its info field is set 



to / (line 95 i. Only the two-step replace operations flag 
a leaf Then, help(/) changes the child fields of nodes in 
I.pNode using child CASs (line [96p8] l. Finally, help(/) 
uses unflag CASs to unflag the nodes in I .unflag and 
returns true (line [99l|102| ). 

The insert(t)) routine first calls search(w). Let ( -, p, 
node, -, -, rmvd) be the result returned by search(i;). If 
node is a leaf containing v and rmvd is false, insert('i;) 



returns false since the trie already contains v (line 24 1. 
Otherwise, the insertion attempts to replace node with 
a node created line 11211 whose children are a new leaf 
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node containing v and a new copy of node. (See Figure 
|5]) Thus, the parent p of node must be flagged. A new 
copy of node is used to avoid the ABA problem. If node 
is an internal node, since node is replaced by a new copy. 



insert(ti) must flag node permanently (line 30 1. 

The delete (v) routine first calls search(t;). Let {gp, p, 
node, -, -, rmvd) be the result returned by the search(u). 
If node is not a leaf node containing v or rmvd is true, 
delete(w) returns false since the trie does not contain 
V (line [37] i. Then, delete(u) replaces p by the sibling 
of node. (See Figure |5]) So, delete(w) must flag the 
grandparent gp of node and mark p (line 40 1. 



A replace works as follows. First, replace(i;c(, Vi) calls 
seaxchivd) and search(?;j), which return {gpd, Pd, noded, 
-, -, rmvdd) and (-, pi, nodei, -, -, rmvdi). The replace 
checks that Vd is in the trie and Vi is not, as in the insert 
and delete operations (line 45p8] l. If either test fails, the 
replace returns false. 

If insert(ui) and delete(wd), as described in Figure 
[5] would not overlap, replace(wc;, Vi) is done by two 
child CAS steps and is linearized at the first of these 
two changes. This is called the general case of replace. 
Situations when the insertion and deletion would occur 
in overlapping portions of the trie are handled as special 
cases as shown in Figure |6] In the special cases, the 
replace changes the trie with one child CAS. 

In the general case of the replace operation (line Fp7 1, 
we create a Flag object which instructs the help routine 
to perform the following actions. The replace flags the 
same nodes that an insert(t;i) and a delete(vd) would 
flag. After flagging these nodes, the leaf noded also gets 
flagged. Then, Vi is added to the trie, as in insert(?;i). 
When the new leaf node is added, the leaf noded, which 
contains Vd, becomes logically removed, but not phys- 
ically removed yet. Then, noded is physically deleted 
as in delete(wc;). After noded is flagged, any search that 
reaches noded checks if pi is a parent of the old child 
of Pi using noded.info. If it is not, it means the new 
leaf containing Vi is already inserted and the operation 
behaves as if Vd is already removed. 

There are four special cases of replace(i;£;, Vi) where 
the changes required by the insertion and deletion are 
on the overlapping portions of the trie and the replace 
operation is done using one child CAS step. Although 
the code for these cases looks somewhat complicated, 
it simply implement the actions described in Figure [6] 
by creating a Flag object and calling help. The insertion 
of Vi replaces nodei by a new node. The cases when 
the deletion must remove nodei or change nodei. child 
are handled as special cases. So, the case that noded — 
nodei is one special case (line 58p9 1. In the deletion. 





■<;op)i- 



noded 



Case 1; noded = nodei 
Fig. 



Case 2: pd = nodei, gpd = pi 
Case 3: pd = pi, noded t nodei Case 4: gpd = 

6. Special cases of replace(-u^, i;^). 



Pd is removed, so the case that pd — nodei or pd — Pi 
are also handled as a special case (line [60p4| . In the 
deletion, gp.child is changed. So, the last special case 
is when gpd = nodei (line 65]|70 i. In all special cases, 
nodei is replaced by a new node. Here, we explain one 
special case in detail. The others are handled in a similar 
way. In case 2, pd = nodei and gpd — Pi (line 60 1. 
Since nodei must be replaced, a new copy of nodei 
is made. So, replace(U(i, Vi) flags gpd and marks nodei, 
and replaces nodei with a new internal node whose non- 
empty children are a new leaf node containing Vi and the 
sibling of noded (line 60]|64 i. 



IV. Algorithm Correctness 

A detailed proof of correctness is provided in Ap- 
pendix. It is quite lengthy, so we can only provide a 
brief sketch here. First, we define the linearization point 
of each operation. Let ( -, -, node, -, -, rmvd) be the 
result returned by a search. If node is a leaf containing 
V and rmvd is false, we prove there is a time during the 
search when node is logically in the trie and the search 
is linearized at that time. Otherwise, we show there is 
a time during the search when no leaf containing v is 
logically in the trie and the search is linearized at that 
time. If an update returns false, it is linearized at the 
linearization point of the search that caused the update 
to fail. Let / be a Flag object created by an update. If a 
child CAS performed by any call to help(/) is executed, 
the update is linearized at the first such child CAS. Next, 
we sketch the correctness proof in four parts. 

Part 1 is the heart of the proof The goal of Part 1 is 
to prove that, for any Flag object /, the successful CAS 
steps performed by all calls to help(/) proceed in the 
expected order. (See Figure |7]) First, the flag CAS steps 
are performed on nodes in order, according to the nodes' 
labels. We prove that only the first flag CAS (by any of 
the helpers) on each node can succeed. If one if these 
fails, then the nodes that have been flagged are unflagged 
by backtrack CAS steps and all calls to help(/) return 
false, indicating that the attempt at performing the update 
has failed. Otherwise, the child CAS steps are performed, 
and then the unflag CAS steps remove flags from nodes 
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that are still reachable. If several helpers perform one of 
these CAS steps, we prove that the first helper succeeds 
and no others do. In this case, all calls to help(/) return 
true. 

In Part 1, we first prove that the post-conditions of 
the search described in Section |in-C| are satisfied. Then, 
we prove that each type of update preserves the main 
invariant of the Patricia trie data structure: if x.child[i] = 
y, then (x.label) • i is a prefix of y.label. Thus, the 
structure is a correct trie. (This also implies that labels 
of reachable nodes are distinct, so flagging can be done 
in order by labels of nodes to avoid deadlock.) We 
show that the ABA problem on the info fields is avoided 
because whenever an info field is changed, it is set to 
a newly created Flag or Unflag object. Then, we show 
that the CAS steps succeed in the correct order even if 
they are performed by helpers. 

We say that a node is marked if its info field is a Flag 
object / and the node does not appear in I.unflag and 
some call to help(/) has performed a child CAS. We 
show that if an internal node is removed from the trie, it 
is marked at all times after that. After a node is removed, 
it is never inserted into the trie again. Next, we show that 
the ABA problem on the child fields is avoided because 
whenever a child pointer is changed, the old child is 
permanently removed from the trie. The proofs of the 
lemmas in Part 1 are mostly focused on the structure 
of the help routine. So, any new update that preserves 
the main invariants of the trie can be added with minor 
changes to the correctness proof. 

Part 2 proves that search operations are linearized 
correctly. First, we show that each node a search visits 
was reachable at some time during the operation. Let ( -, 
-, node, -, -, rmvd) be the result returned by a search(w). 
If node is a leaf containing v and rmvd is false, we show 
that node was reachable and not logically removed at 
some time during the search. The search is linearized at 
that time. If node is not a leaf containing v or node is a 
leaf containing v but rmvd is true, we show that there 
is a time during the search that no leaf containing v is 
logically in the trie. The search is linearized at that time. 

Part 3 proves that update operations are linearized 
correctly. Let T be the linearization point of a successful 
update operation. Since all nodes are flagged success- 
fully, no other concurrent update can change a flagged 
node's child between the time when the info field of node 
is read for the last time during the search and the time 
the node is unflagged. Thus, only the child CAS steps 
of the update would change that part of the trie during 
that period of the time. Flagging ensures that the first 
child CAS of the update has the effect of implementing 



precisely the change shown in Figure |5] or |6] atomic ally. 

Part 4 proves that the implementation is non-blocking. 
To derive a contradiction, assume after time T, no 
operation terminates or fails. Let / be a Flag object 
created by an update that is running after T. If a call 
to help(/) returns true, the update terminates, so after 
T, all calls to help(/) return false. Thus, all calls to 
help(/) set doChildC AS to false because they failed 
to flag an internal node successfully after T. Consider 
the group of all calls to help(/). We say the group blames 
an internal node which is the first node that no call to 
help(/) could flag successfully. Let go, 3m be all 
these groups ordered by the labels of the nodes that 
they blame. Since g„i blames an internal node x, x is 
flagged by some other group gi where < i < m. Thus, 
gi blames some other node y whose label is less than x. 
So, gi flags X before attempting to flag y, contradicting 
the fact that gi flags internal nodes in order. 

V. Empirical Evaluation 

We experimentally compared the performance of our 
implementation (PAT) with non-blocking binary search 
trees (BST) non-blocking k-ary search trees (4- 

ST) 1 8 1, Concun-entSkipListMap (SL) of the Java library, 
lock-based AVE trees (AVE) 1 6 1 and non-blocking hash 
tries (Ctrie) Ii24l . For the k-ary search trees, we use the 
value fc = 4, which was found to be optimal in fS). 
Nodes in Ctrie have up to 32 children. 

The experiments were executed on a Sun SPARC 
Enterprise T5240 with 32GB RAM. The machine had 
two UltraSPARC T2h- processors, each having eight 
1.2GHz cores, for a total of 128 hardware threads. The 
experiments were run in Java. The sun JVM version 
1.7.0_3 was run in server mode. The heap size was 
set to 2G. This ensures the garbage collector would not 
be invoked too often, so that the measurements reflect 
the running time of the algorithms themselves. Using a 
smaller heap size affects the performance of BST, 4-ST 
and PAT more than AVE and SL since they create more 
objects. 

We evaluated the algorithms in different scenarios. 
We ran most experiments using uniformly distributed 
random keys. We ran the algorithms using uniformly 
distributed keys in two different ranges: (0,10^) to 
measure performance under high contention and (0, 10^) 
for low contention. (We also ran the experiments for the 
key range of (0, 10^) for medium contention, but since 
the results were very similar to the low contention case, 
we do not present them here.) We ran experiments with 
two different operation ratios: 5% inserts, 5% deletes and 
90% finds (i5-d5-f90), and 50% inserts, 50% deletes and 
0% finds (i50-d50-fO). (We also ran the experiments with 
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Fig. 7. The correct order of steps inside help(/) for eacli Flag object /. (Steps can be performed by different calls to help(7).) 



ratio of 15% inserts, 15% deletes and 70% finds. Since 
the results were similar to the experiments with the ratio 
of (i5-d5-f90), we do not present them here.) 

Since the replace operation is not used in these sets 
of experiments, we made some minor optimization to 
the pseudo-code. For example, we eliminated the rmvd 
variable in search operations. 

Since the Java compiler optimizes its running code, 
before each experiment, we perform (i50-d50-fO) for 
ten seconds for each implementation. We start each 
experiment with a tree initialized to be half-full, created 
by running updates in the ration i50-d50-fO. Each data 
point in our graphs is the average of eight 4-second 
trials. (The error bars in the charts shows the standard 
deviation.) 

For uniformly distributed keys, algorithms scale well 
under low contention (key range of (0, 10^)). (See Figure 
[s]) Under very high contention (key range of (0, 10^)), 
most scale reasonably well when the fraction of updates 
is low, but experience problems when all operation are 
updates. (See Figure|9]) When the range is (0, 10^), Ctrie 
outperforms all others since the height of the Ctrie is 
small compared to the others because node can have 
up to 32 children. However when the range is (0, 10^) 
and the contention is very high, Ctrie does not scale. 
Excluding Ctrie, when the range is (0, 10^), PAT, 4-ST 
and BST outperform AVL and SL. Since updates are 
more expensive than finds, the throughput is greater for 
i5-d5-f90 than for i50-d50-fO. 

To evaluate the replace operations, we ran an exper- 
iment with 10% inserts, 10% deletes and 80% replace 
operations (ilO-dlO-r80) and a key range of (0, 10^) on 



uniformly random keys. (See Figure 10 ) We could not 
compare these results with other data structure since 
none provide atomic replace operations. As the chart 
shows, the replace operation scales well as the number 
of threads increases. 

We also performed some experiments on non- 
uniformly distributed random keys. To generate non- 
uniform keys, processes performed operations on se- 
quence of 50 consecutive keys, starting from a randomly 
chosen key. When keys are not uniformly distributed and 
key range is (0, 10^), Ctrie and then PAT outperform 
others greatly since they maintain a fixed height without 
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Fig. 8. Uniformly distributed keys 
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Fig. 9. Uniformly distributed keys 



doing expensive balancing operations. (See Figure 11 ) 
Since the results of these experiments for other oper- 
ations ratios were similar, only the chart for the ratio 
il5-dl5-f70 is presented here. Longer sequences of keys 
degrade the performance of BST and 4-ST even further. 
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Fig. 10. Replace operations of PAT 
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Fig. 11. Non-uniformly distributed keys (The lines for BST, 4-ST, 
AVL and SL overlap.) 

VI. Conclusion 

Our algorithms can also be used to store unbounded 
length strings. One approach would be to append $ to 
the end of each string. To encode a binary string, 0, 1 
and $ can be represented by 01, 10 and 11. Then, every 
encoded key is greater than 00 and smaller than 111, so 
00 and 111 can be used as keys of the two dummy nodes. 
With this modifications, searches would be non-blocking 
but not wait-free. Moreover, since labels of nodes never 
change, they need not fit in a dingle word. 

The approach used in the replace operation can be 
used for operations on other data structures that must 
change several pointers atomically. Future work includes 
providing the general framework for doing this on any 
tree-based structure. Such a framework would have to 
guarantee that all changes become visible to query 
operations at the same time. Brown et al. [71 proposed 
a general technique for non-blocking trees that support 
one change to the tree atomically. 

Since our algorithms create many Flag objects to avoid 
using locks, finding more efficient memory management 
techniques is an important area for future work. 
Acknowledgments. 1 thank my supervisor, Eric Ruppert 
for his guidance and support, Trevor Brown for providing 
lots of help and code for the experiments and Michael 
L. Scott for giving us access to his multicore machines. 
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Appendix 



A. Preconditions and Basic Invariants 



In this section, we show that the algorithms satisfy some basic invariants. First, we have the following observations 
from the pseudo-code. 

Observation 1. The label field of a Node is never changed. No field of an Info object is changed except the state 
field. 

Observation 2. The root pointer is never changed and root.label is e. 

Now, we prove that the precondition of the help routine is satisfied. 
Lemma 3. Each call to the help routine satisfies its precondition. 



Proof: We show that, for each call to help(/), / is a Flag object. Just before calling help(/) at line 110 or 119 



the operation checks that / is a Flag object. Update operations call help(/) at line[32] |4T]or|7T|just after creating 
a new Flag object /. ■ 



A CAS step that tries to change the child field of an internal node at line 98 inside help(/) is called a child CAS 
of I. 

Next, we show that each internal node has two non-null children, non-null values are passed to createNode and 
node is set to non-null value during the search operation. 

Lemma 4. 1) Every internal node has two non-null children. 

2) Every call to createNode satisfies its pre-condition. 

3) Any process executing the loop of search has a non-null value in its node variable. 

A) If a search returns {gp, p, node, -, -, -), then p is an internal node and if gp is not null, gp is an internal 
node. 

Proof: Assume the lemma is true before the step at time T. We shall prove the lemma is true after that step. 
(1) We show that Claim 1 is true if a new internal node is created at T or if a child field is changed at T. First, 
suppose a new internal node is created at time T. We show that the internal node that is created at T has two 
non-null children. A new internal node is created at line [19] |121| [26l or [52] If a new internal node is created at line 
19 at time T, the children of the new node are set to two new nodes that are created at that line. If a new copy 
of an internal node is made at line 26 or 52 at time T, since the lemma is true at all times before T, a new copy 



of some non-null node is made at T and the children of the new copy of the node are set to two non-null nodes 
at T. If a new node is created at line |121| inside createNode(no(iei, node2), since the invariant is true before T, 
nodei and node2 are non-null nodes and the children of the new node are set to nodei and node2 at T. 

Now, suppose the child field of an internal node is changed at T. The child field of an internal node is changed 
only at line [98] Let / be a Flag object such that a child CAS of / is executed at T. We consider each way that / 
could have been created. For each case, we show that, for all i, I .newChild[i] is a non-null node. 

If / is created at line 30 3T| |55] 57j 64 or 70 I .newNode[Q\ is set to a non-null node that is created at line 



121| inside createNode, which is called at line |27[ [53] [62[ or [69] 



If / is created at line 59 I.newNode^] is set to a non-null node that is created at that line. 

If i — Q and / is created at line 40 or i = 1 and / is created at line [55] or |57] let 
returned by the preceding call to search(waO on line 36 or 
read at line 38 or 50 before T. Since the lemma is true before T, I .newNodelQ] is set to a non-null node. 



be the result 



47 Then, I .newNode[{)\ is set to a child of p that is 



(2) Suppose createNode(noc?ei, node2) is called at T from line 27 |53] |62] |67] or 69 We show that nodei and 
node2 are non-null. 

If createNode(7io(iei, node2) is called at line [27 



or 



53 nodei is a new copy of node that is returned by the 



search operation at line 23 orHT] Since the lemma is true prior to T, nodei is non-null. Then, node2 is a new leaf 
node that is created at line I27l or |53] 

-, -) be the result returned by the call to search(uaO 



If createNode(no(iei, node2) is called at line 62 let (-, p. 



on line |47] Then, node2 is a new leaf node that is created at line [62] and nodei is a child of p that is read at line 
[50[ before T. Since the lemma is true before T, nodei is a non-null node. 



12 



If createNode(no(iei, node2) is called at line 67 let {gp, p, -, -, -, -) be the result returned by the call to 
search(waZ) on line |47] Then, nodei is a child of p that is read at line |50] and node2 is a child of gp that is read 
at line [66] Since the lemma is true before T, nodei and node2 are non-null nodes. 

If createNode(noc?ei, node2) is called at line [69] nodei is a new node that is created at line [67] and node2 is a 
new leaf node that is created at line [69] 

(3) Before entering the loop of the search routines, node is set to root, which is not null. We must show that if 



node is set on line 82 at T, it is non-null. Since node is set to a child of a node at T and the lemma is true prior 
to T, node is set to a non-null node at T. 



(4) During the search operation, node is initialized to root at line 78 so at least one iteration of the loop is 
performed (since root is an internal node and root.lahel = e by Observation |2|. By the test at line 79 



p IS an 



internal node after every execution of line 8 1 



In the first loop iteration, gp is set to null. In each subsequent iteration, gp is set to an internal node at line 80 



(since p is always an internal node after each execution of line 8 1 
By Lemma |4] we have the following observation. 



be the result returned by a call to the search operation on line 45 and 



Observation 5. Let {gp^, -, -, -, 

nodei, -, -, -) be the result returned by another call to the search operation on line 47 If gpd 
is an internal node. 



nodei, then nodei 



We use a • 6 to denote the concatenation of a and b. Now, we show that the search operation satisfies some of 
its post-conditions if it returns. 

Lemma 6. Assume search(val) returns {gp, p, node, gplnfo, pinfo, rmvd). The following statements are true. 

1) If gp is not null, then, at some time during the search operation, gp.info was gplnfo, and at some later 
time during the search operation, p was a child of gp. 

2) Then, at some later time during the search operation, p.info was pInfo, and at some later time during the 
search operation, p.child[i] = node for some i. 

3) (p.label) ■ i is a prefix of val. 

4) If node is an internal node, node.label is not a prefix of val. 

Proof: During the search operation, node is initialized to root at line [78] so at least one iteration of the loop 
is performed (since root is an internal node and root. label = e by Observation |2]i. 

1) Assume gp is not null. By Lemma [4] gp is an internal node. Since gp is set to null during the first loop 
iteration, the search operation does not exit the loop after the first loop iteration. During the second last loop 



2) 



iteration, pInfo and p are set at line [8T| and node is set to a child of p at line 82 Then, during the last loop 
iteration, gplnfo and gp are set to pInfo and p at line [80] and p is set to node at line [ST] So, when line 
JST] was executed for the second last time, gp.info — gplnfo and then, when line [82] was executed for the 
second last time, p was a child of gp. 

By Lemma ]4] p is an internal node. During the last loop iteration, pInfo and p are set at line 81 and node 
is set to a child of p at line]82] So, when line jsT] was executed for the last time, p.info ~ pInfo and then, 
when line [82] was executed for the last time, p.child[i] = node for some i. 



3) During the last loop iteration, p is set to node at line^T] Since the condition at line 79 is true at the beginning 



of that iteration, p is set to an internal node whose label is a prefix of val. At the last execution of line 82 
node is set to p.child[i] such that i = {\p.label\ + l)th bit of val. So, (p.label) ■ i is a prefix of val. 



4) 



Since the search operation exits the loop, the condition is false at the last execution of fine 79 If node is an 
internal node, node.label is not a prefix of val. 



Next, we show that, just after a child field is set, the following Patricia trie property is preserved: if x.child[i] = y, 
then {x.label) • i is a prefix of y. label. 

Invariant 7. Let x be an internal node and y — x.child[i]. Then, {x.label) ■ i is a prefix of y. label. 



Proof: By Observation [T] no label field of a node is ever changed. So, we need only show that the lines 19 
26 121 and 52 which create new internal nodes, and line 98 which changes the child field of an internal node. 
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preserve the invariant. We assume the invariant holds at all times prior to T and we prove that the invariant is true 
just after T. First, we show if a new internal node is created at T, the invariant is preserved. 

Line 19 creates a new internal node root that has two children. Initially, root.label = e, root.child[0].label = 
000.. .0 and root.child[l]. label = 

If a new copy of an internal node is created on line |26] or |52] at T, since the invariant is true at all times before 
T, the new copy of the node satisfies the invariant. 

If a new node is created at line 121 inside createNode, its label is the longest common prefix of the label fields 
of its children. Since the two children's labels are not prefixes of each other, the invariant is true. 

In the remainder of the proof, we show if a child CAS of / succeeds at T, the invariant is preserved. 
The child CAS changes I.pNode[j].child[i] from I.oldChild[j] to I.newChild[j] (for some j) where i is the 
{\I .pNode[j]. label + l|)th bit of I .newChild[j].label. Thus, it suffices to show that I.pNode[j].label is a proper 
prefix of I.newChild[j].label. We consider each way that / could have been created. By Observation [T] after the 
initialization of /, no field of / is changed except the flagDone field. 

-) be the result returned by the call to search(uaO 



Case 1: / is created at line 30 or 31 



Let ( -, p, node, ■ 

on line 23 that precedes the creation of /. Then, newNode is the new node that is created at line |27] and whose 
children are a new copy of node and a new leaf node whose label is val. In this case, I .pN ode[Q] = p and 
I .newChild[0] — newNode. By Lemma |6] p.child[k] — node for some k at some time before T. Since the 
invariant is true before T, (p.label) • A; is a prefix of node.label. By Lemma[6] [p.label) • fc is a prefix of val. Since 
new Node. label is the longest common prefix of val and node.label, (p.label) • fc is a prefix of new Node. label. 
Case 2: / is created at line |40| Let [gp, p, node, -, -, -) be the result returned by the call to search(uaO on line 



36 that precedes the creation of /. Let nodeSibling be the child of p that is read at line 38 Since the invariant 
is true before T, p.label is a prefix of nodeSibling. label. In this case, I.pNode[0] — gp, I.oldChild[0] = p, 
and I.newChild[0] = nodeSibling. Since the child CAS succeeds at T, gp.child[i] was p just before T. Since 
the invariant is true before T, (gp.label) ■ i is a prefix of p.label. Since p.label is a prefix of nodeSibling .label, 
(gp.label) • i is a prefix of nodeSibling .label. 

Case 3: / is created at line 55 or|57] Let {gpd, Pd, nodea, -, -, -) and ( -, pi, nodei, -, -, -) be the results returned 
by the calls to the search routine on line 45 and 47 that precede the creation of /. Then, I.pNode[0] — pi and 
I.newChild[0] is the new node that is created at line 53 By the same argument as in Case 1, the invariant is true 



if a child CAS of / on I .pNode[0] succeeds at T. Let nodeSibling be the child of pd that is read on line 50 
Then, I.pNode[l] = gpd and I.newChild[l] = nodeSibling. By the same argument as in Case 2, the invariant is 
true if a child CAS of / on I.pNode[l] succeeds at T. 

Case 4: / is created at line|59] Let ( -, pi, nodei, -, -, -) be the result returned by the call to seaich(vali) on line 
47 that precedes the creation of /. In this case, I.pNode[0] = pi and I .newChild[Q\ is a new leaf node whose 



and 



-, Pi 



nodei 



-) be the results returned 



label is vak. By Lemma |6] pi.label is a proper prefix of vaU 
Case 5: / is created at line 64 Let {gpd, Pd, noded, -, -, - 
by the calls to the search routine on line |45] and 47 that precede the creation of /. Let nodeSibling be the child 
of Pd that is read at line |50] and newNode be the new node that is created at line |62] and whose children are 
nodeSibling and a new leaf node whose label is vaU. In this case, I.pNode\fS\ = pi, I.oldChild[0] — nodei 
and I.newChild[0] — newNode. Since the child CAS succeeds at T, gpd.child[i] was pd just before T. Since 
the invariant is true before T, [gpd.label) • i is a prefix of pd-label. Since the invariant is true before T and 
nodeSibling is a child of pd before T, pd-label is a prefix of nodeSibling .label. So, (gpd.label) • i is a prefix of 
nodeSibling. label. 

If the condition at line 60 is true, by Lemma|6] (gpd.label) • i is a prefix of vak (since pi = gpd and nodei = pd). 
If the condition at line 61 is true, by Lemma|6] pi. label is a prefix of vak, so {gpd.label) ■ i is a prefix of vak (since 
Pi = Pd)- Since the children of newNode are nodeSibling and a new leaf node whose label is vak, (gPd-la-bel) ■ i 
is a prefix of new Node. label. 

Case 6: / is created at line 70 Let {gpd, Pd, noded, -, -, -) and ( -, pi, nodei, -, -, -) be the results returned by 
the calls to the search routine on line |45] and 47 that precede the creation of /. Let nodeSibling be the child of pd 
that is read at line |50] and pSibling be the child of gpd that is read at line |66] Then, newChild is the new node 
that is created at lin e [67] and whose children are nodeSibling and pSibling. Then, newNode is the new node 
that is created at line |69|and whose children are newChild and a new leaf node whose label is vak. In this case, 
nodei = gpd, I .pNode[0\ — pi, I .oldChild[0] = nodei and I .newChild[0] — newNode. 
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By Lemma |6j pd was a child of gp^ — nodei at some time before T. Since the invariant is true before T, 
nodci-label is a prefix of pd-label. Since the invariant is true before T and nodeSibling is a child of pd before T, 
Pd-label is a prefix of nodeSihling. label. So, nodci.label is a prefix of nodeSibling. label. Since the child CAS 
succeeds at T, pi.child[i] — nodei just before T. Since the invariant is true before T, (pi.label) ■ i is a prefix of 
nodei.label. Since nodei.label is a prefix of nodeSibling .label, (pi.label) • i is a prefix of nodeSibling. label. 

Since the invariant is true before T and pSibling is a child of gpd — nodei before T, nodei.label is a prefix of 
pSibling.label. Since (pi.label) ■ i is a prefix of nodei.label, (pi.label) • i is a prefix of pSibling. label. Since the 
children of newC'hild are nodeSibling and pSibling, (pi.label) • i is a prefix of newChild.label. 

By Lemma [6] (pi.label) • i is a prefix of vali. Since the children of newNode are newChild and a new leaf 
node whose label is vali, [pi.label) • i is a prefix of new Node. label. ■ 

We say that an internal node pNode is a parent of a node cNode at time T, if cNode is an element of 
pNode.child at time T. Note that a node cNode may have more than one parent at time T. (For example, this 
occurs if cNode's parent has been removed from the tree but still has a child pointer to cNode.) 

We say that a node anc is an ancestor of a node x at time T if there is a path consisting of child pointers from 
anc to X at time T. We say that node x is a. descendant of anc at time T. If anc 7^ x, we say anc is a proper 
ancestor of a node a; at time T and a; is a proper descendant of a node anc at time T. We say a node x is reachable 
at time T if root is an ancestor of x at time T. 

The rooi cannot have a parent a; because x.label would have to be a proper prefix of root.label = e by Invariant 

m 

Corollary 8. The root does not have any parent at any time. 

Lemma 9. At all times, if nodei and node2 are reachable and have the same label, then nodei — node2 and 
there is exactly one reachable parent of nodei (unless nodei is the root). 

Proof Let vo,vi, ...,Vn-i,Vn be a path consisting of child pointers at time T such that va = root and 
Vn — nodei and Wq, w^, wj„_]^, w,'„ be a path consisting of child pointers at time T such that Vq — root and 
v'^ = node2. Without loss of generality, assume n <m. 

By induction, we show these two paths are the same. Since vq = root and v'^ = root, vq = v'q. Assuming 
Vi-i = v[_-y, we show that Vi = v[. By Invariant ItI (vi-i.label) ■ j is a prefix of nodei.label — node2dabel 
for some j. Since, by Invariant |7] Vi.label and w^.Zaoe/ are prefixes of nodei.label — node2.label and Vi-idabel 
is a proper prefix of Vi. label and vi.label, (vi^i.label) ■ j is a prefix of Vi.label and vi.label. By Invariant |7] 
Vi^i.child[j] — Vi at time T and Vi^i.child[j] = v[ at time T, so Vi = v[. 

So, nodei — v'^. Then, n — m since v'^-^.label is not a proper prefix of node2.label. Therefore, = v'„-^ and 
nodei — node2. 

Since u„_i = v'^n-i' if nodei 7^ root, there is exactly one reachable parent of nodei at time T. ■ 

B. Behaviour of CAS Steps on info Fields 

In this section, we show how CAS steps change the info field of nodes. First, we define flagging and unflagging 
of nodes formally. 

Definition 10. Let x be a node. If x. info is a Flag object at time T, we say x is flagged at time T. The CAS step 
at line |90| is called a flag CAS. 

Definition 11. Let x be an internal node. If x.info is an Unflag object at time T, we say x is unflagged at time 



T. The CAS step at line 101 is called an unflag CAS. The CAS step at line 105 is called a backtrack CAS. 



All nodes are unflagged when they are created. A leaf node can only become flagged at line 95 Once a leaf 
node is flagged, it can never become unflagged. The following lemma describes how the info field of an internal 
node is initialized and changed when the node becomes flagged or unflagged. 

Lemma 12. Let x be an internal node. When node x is created, x.info is initially set to a new Unflag object. The 
only changes to x.info that can occur are (1) a flag CAS at line^O\that changes x.info from an Unflag object to 



a Flag object, or (2) an unflag CAS at line 101 or a backtrack CAS at line 105 that changes x.info from a Flag 
object to a newly created Unflag object. 
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Proof: A new internal node is only created at line 19 26 121 or 52 and the info field of the new internal 



node is initially set to a new Unflag object. The only lines that can change x.info are line 90 101 and 105 



Suppose a flag CAS at line 90 inside help(/) succeeds to change x.info from an element of I.oldlnfo to /. 
By Lemma [3j / is a Flag object. Before creating /, the operation checks that each value stored in I.oldlnfo is an 



Unflag object at line 109 



Suppose an unflag or backtrack CAS inside help(/) succeeds to change x.info. By Lemma [5] / is a Flag object. 
So, x.info was equal to / just before the unflag or backtrack CAS and, just after the unflag or backtrack CAS, 
x.info is changed to a newly created Unflag object. ■ 
Let / be a Flag object. Elements of I. flag are ordered at line 1 15| before / is created. Let Fj be the set of all 
nodes in the I. flag array and Ui be the set of all nodes in the I .unflag array. By the pseudo-code, Ui C Fi. 

A flag, unflag or backtrack CAS step executed inside help(/) is called a CAS step of /. A flag CAS of / attempts 
to change the info field of an internal node in Fj from an Unflag object to /. An unflag CAS of / attempts to 
change the info field of an internal node in [// from / to a new Unflag object. A backtrack CAS of / attempts to 
change the info field of an internal node in Fi from / to a new Unflag object. 



By Lemma 12 we have the following corollary. 



Corollary 13. Let I be a Flag object. After an internal node x is flagged by a flag CAS of /, the next change to 
x.info can only be done by an unflag or backtrack CAS of L 



Let / be a Flag object. A flag CAS of / at line 90 inside help(J) tries to change Lflag[i].info from LoldInfo[i] 
to / for some i. The following lemma shows that I.flag[i].info was equal to I.oldInfo[i] at some time before / 
was created. 

Lemma 14. Let I be a Flag object. Then, each entry of Fflag[i] is an internal node. Also, if x — I.flag[i\ (for 
some i), then x.info was LoldInfo[i] at some time before I was created. 

Proof Just before creating /, an update operation calls search once (for insert and delete) or twice (for replace). 
If one such search returns {gp, p, node, gplnfo, pinfo, 
1401 1551 1571 1591 



), then Fflag[i] is set to p, gp or node at line 30 31 



By Lemma 



J64]or|70] 

41 p is an internal node and gp is an internal node if gp is not null. If I.flag[i] is set to gp at line 



If Lflag[i] is set to node at line [30| or 



40 55 57 64 gp is not null by the pseudo-code. If Fflag[i] is set to gp at line 70 gp is not null by Observation 
SpWhen I.flag[i] is set to p or gp at line 30 31 40 55] 57j 59 64 or 70 I .oldInfo[i] is set to the corresponding 
pInfo or gplnfo. By Lemma |6] I.flag[i 



info — I .oldInfo[i] at some time during search(wa/). 
55 node is an internal node. Then, I.oldInfo[i] is set to a value read 



from node. info at line 25 or|49j ■ 
Suppose some process reads a value old in some variable x at time T and then later performs a CAS that changes 
X from old to new at time T' . Some of the later parts of our proof of correctness will rely on the fact that x has 
not been changed from old between T and T'. If x is changed between T and T' and x is changed back to old just 
before T', the CAS step would incorrectly change x to new. This situation is called the ABA problem. Since CAS 
steps are used to change the info and child fields of internal nodes, we show that the ABA problem is avoided 
on the info and child fields of internal nodes. First, we show that the info field of an internal node is not set to 
a value that it has had previously. 

Lemma 15. Let x be an internal node. Then, x.info is never set to a value that it has had previously. 

Proof: Assume x.info is set to new at time T. We show that x.info ^ new at all times before T. First, 



consider the case where new is an Unflag object. By Lemma [12] only the CAS steps at line 1 1 1 1 and 1 1 05 1 change 
x.info to an Unflag object. Since, at those lines, the CAS step changes x.info to a newly created Unflag object, 
x.info is never set at line 



101 or 105 to a value that it has had previously. 



Now, consider the case where new is a Flag object. By Lemma 12 only the CAS step at line 90 inside help(neti;) 
tries to change x.info to new. To derive a contradiction, assume the lemma is violated for the first time at time T. 
Then, x.info is set to new at time T and x.info had value new at some time before T. Since x.info is initially 
an Unflag object when x is created, there must exist a CAS step that sets x.info to new at some time T' before 
time T. Let ii and ^2 be the values of i when a process executes line 90 at T' and T. Then, new.flag[ii\ = x and 
new.flag[i2] = x. Since only one copy of duplicate elements of new. flag is kept at line 114 ii — i2- Let old be 
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new .oldinf o[ii\ = new.oldInfo[i2\. At time T', x.info is changed from old to new. Then, at time T, x.info is 
changed from old to new. Thus, x.info is set to oZd again between T' and T, contradicting the assumption that 
the lemma is violated for the first time at time T. ■ 



So, by Lemma 15 if a CAS step succeeds to change the info field of an internal node from some old value to 
some new value, the info field of the internal node has not been changed since the time that the value of the info 
field of the internal node was read as the old value. Thus, the ABA problem on the info fields of internal nodes 
is avoided. 

In the Patricia trie implementation, update operations might help one another to flag and unflag nodes by calling 



the help routine at line 110 So, there might be several CAS steps that try to change the info field of some internal 
node from a value old to some value new. We show only the first CAS step among the CAS steps of this group 
can succeed to change the info field of the internal node from old to new. 

Lemma 16. Let x be an internal node. Assume a group of CAS steps tries to change x.info from old to new. 
Only the first CAS step in this group might succeed. 



Proof: Assume a group of CAS steps each tries to change x.info from old to new. By Lemma 12 



no two 



CAS steps can try to change x.info to the same Unflag object. So, new must be a Flag object. Thus, the CAS steps 
that try to change x.info are Flag CASs inside calls to helpCnew). So, there is some i such that new.flag[i] = x 
and new. oldinf o[i] = old. By Lemma 14 x.info — old at some time before new is created. So, all CAS steps 



that try to change x.info from old to new occur after a time when the value of x.info is old. After a CAS step 



changes x.info from old to some value, by Lemma 15 x.info is not set to old again. If the first CAS step among 
the CAS steps in the group changes x.info from old to new, no other CAS step in the group can change x.info 
from old to new. If the first CAS step among the CAS steps in the group does not change x.info from old to new, 
x.info has already been changed from old to some other value and no other CAS step in the group can change 
x.info from old to new. ■ 
Let / be a Flag object. Recall that Fj is the set of all nodes in the I. flag array. To avoid live-lock in flagging 
internal nodes, all operations try to flag internal nodes in some defined order. Before creating /, elements of Fj 
are sorted at line |115| We show that if elements of Fj are successfully flagged by flag CAS steps of /, they are 
flagged in order 



Lemma 17. Let I be a Flag object and let f be the number of of entries in I. flag. For < i < f — I, 
CAS of I does not successfully flag Fflag[i + 1] unless Fflag[i] is flagged earlier by a flag CAS of L 



a flag 



Proof: Assume a help routine tries to flag I .flag[i + l\ using a flag CAS of /. Then, the doChildCAS variable 



is true at the previous execution of line 91 After the help routine tries to flag a node, doChildC AS is set to false 
at line 91 if the info field of the node is not /. So, the help routine tries to flag I.flag[i + 1] using a flag CAS of 
/ only if I.flag[i].info was /. Thus, by Lemma 12 I.flag[i] has already been flagged by a flag CAS of /. ■ 



If I.flagDone is true at line 99 help(/) performs unflag CAS steps on the nodes in Uj at line 101| Otherwise, 
help(J) performs backtrack CAS steps on the nodes in Fj at line 105 The following lemma shows that I.flagDone 



is set to true at line only after all nodes in Fj get flagged successfully by flag CAS steps of /. 



Lemma 18. Let I be a Flag object. Before I.flagDone is set to true at line 94 all nodes in Fj are flagged by 
flag CAS steps of I. 



Proof: The help routine sets I .flagDone to true at line 94 only if the doChildCAS variable is true at line 



93 If the info field of I.flag[i] ^ I for any i, doChildCAS gets set to false at line 91 and the loop terminates. 



So, doChildCAS is true at line |93] only if all nodes in Fj were flagged successfully using flag CAS steps of /. ■ 
From the pseudo-code, we have the following observations. 

Observation 19. Let I be a Flag object. I .flagDone is initially false and I.flagDone is only set to true. 

Observation 20. Let I be a Flag object. Then, I .flagDone is set to true before any child CAS step of I occurs. 



We wish to show that the child field of an internal node is changed by a child CAS of / at Une 98 only while 
all internal nodes in Fj are flagged by /. First, we show a child CAS of / is executed only after all nodes in Fj 
get flagged using flag CAS steps of /. Then, we show that, for all j, there is no successful unflag or backtrack 



17 



CAS of / before the first child CAS of / on I.pNode[j]. 



Lemma 21. 

steps of I. 



Let I be a Flag object. A child CAS step of I is preceded by flagging all nodes in Fj using flag CAS 



Proof: By Observation l20] a child CAS step of / can be executed only after I.flagDone is set to true. By 



Lemma 18 setting FflagDone to true is preceded by flagging all nodes in Fj using flag CAS steps of /. 



Lemma 22. Let I be a Flag object. If there is any child CAS of I, then for all j, there is no unflag or backtrack 
CAS of I before the flrst child CAS step of I on LpNode[j]. 

Proof: We prove the lemma by contradiction. Assume that for some j, the first child CAS of / on I.pNode[j] 
is at time T and an invocation H of help(/) executes the first unflag or backtrack CAS of / at T' before T. 
Since the first child CAS of / on I.pNode[j] is at T, H does not execute any child CAS of / on I.pNode[j] at 



line 98 before T'. So, the doChildC AS variable is false when H performs line 93 before T' . Thus, H sets the 
doChildCAS variable to false at line [91] when y.info ^ I just after H tries to flag some node y by a flag CAS 



of 7. By Lemma 21 since y G Fj, y.info is set to / before T. By Lemma 16 only the first flag CAS of / on 



y.info succeeds. Since a flag CAS of / on y.info is performed just before the line 91 y.info is set to / before 



H executes line 91 Then, it is changed from / to another value before H reads y.info at line 91 contradicting 
the fact that the first unflag or backtrack CAS of / is at time T' . ■ 
Next, we show that there is no backtrack CAS of / after the first child CAS of /. This will imply that nodes in 
Fj — Ui remain flagged forever after a child CAS of / occurs. 

Lemma 23. Let I be a Flag object. If there is any child CAS of I, there is no backtrack CAS of I. 



Proof: Assume the first child CAS of / is at time T. By Lemma 22 there is no backtrack CAS of / before 
T. To derive a contradiction, assume the first backtrack CAS of / after T is performed by some invocation H of 
help(/). 



Then, when H checks I.flagDone at line 99 I .flagDone is false. By Observation 20 I .flagDone is set to 



true before T, so H performs line |99] before T. Since H does not set I.flagDone to true at linej94] H must have 
set doChildCAS to false at line |9 1 1 after seeing y.info ^ I for some node y £ Fi at line |91| By Lemma 21 
y.info is set to / before T. By Lemma 16 the first flag CAS of / on y.info succeeds. So, y.info is changed 



from / to another value before H reads y.info at line 91 which is prior to T (since H performs line 99 before 
T). This contradicts Lemma [22] ■ 
By the pseudo-code, we have the following lemma. 

Observation 24. Let I be a Flag object. For each i, I.pNode[i] £ Fj and I.pNode[i] £ Ui. 

Let / be a Flag object and x £ Fj. The following lemma shows what the value of x.info is between the time 
when x.info is read during the search preceding the creation of / and the successful child CAS of /. 

Lemma 25. Let I be a Flag object and x — I.flag[i] and xinfo ~ I .oldInfo[i] for some i. Suppose x.info = 
xinfo at time Ti and for some j the flrst child CAS of I on I.pNode[j] occurs at time T2 > Ti. Then, at all 
times between Ti and T2, x.info is either xinfo or I. 



Proof: By Lemma 21 x.info is changed from xinfo to / between Ti and T2. By Lemma p3] x.info — xinfo 
at all times between Ti and the time when x.info is set to /. By Lemma 15 and 22 x.info = / at all times 
between the time when x.info is set to / and T2. ■ 
Let / be a Flag object that is created by a replace operation. Then, the leaf node I .rmvLeaf might be flagged 



at Une 95 during help(/). By Lemma fTSl and the pseudo-code, we have the following observation. 



Observation 26. Let I be a Flag object. Then, I.rmvLeaf is a leaf node if and only if I is created at line 55 or 
57. For such Flag object I, setting I.rmvLeaf .info to I is preceded by flagging all nodes in Fj using flag CASs 
of I and setting I .flagDone to true. Furthermore, a child CAS of I is preceded by setting I.rmvLeaf .info to I. 
After I .rmvLeaf is flagged, it never becomes unflagged. 

C. Behaviour of CAS Steps on child Fields 

In this section, we show how CAS steps change the child field of nodes. 
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Just before creating a Flag object /, an update operation calls search once (for insert and delete) or twice (for 
replace). Then, for each i, I.pNode[i] and I.oldChild[i] are set to either gp and p or p and node where {gp , p, 
node, -, -, -) is the result of one of these searches. So, by Lemma |6] we have the following observation. 

Observation 27. Let I be a Flag object. The values of I.pNode[i] and I .oldChild[{\ are returned by a call to the 
search operation that precedes the creation of I. At some point during that search operation, I.oldChild[i] was a 
child of I .pNode[i\. 

Next, we show that each successful child CAS changes the child field of an internal node from some old value 
to some new value that is different from the old value. 

Lemma 28. Let I be a Flag object. Then for all i, I .oldChild[i] ^ I .newChild[i]. 



Proof: If i = and / is created on line 30 31 55 57 59j 64 or 70 then I.newChild[i] is a newly created node, 
I.oldChild[i] is set to node or p where (— , p, node, -,-,-) was returned by a search operation that preceded 
the creation of /. By Lemma [6| I .o ldChild[i] was a child of some internal node during the search operation. 



I .newChild[i] is created at line 121 



59 after the search operation returns. So, I .oldChild[i] ^ I.newChild[i]. 
If z = and / is created on line |40| or if i = 1 and / is created at line |55] or |57j then I .oldChild is set to p and 

■ 50 By Invariant [T] I .oldChild[i] ^ I .newChild[i]. 



the value of I .newChild is read from p.child at line 38 



The decision of which child to update is made at line |97| based on the {\I .pNode[i].label\ + l)th bit of 
I.newChild[i].label. Now, we show the child CAS changes the same element of the child field that is read 
during the search operation. 



Lemma 29. Let I be a Flag object. Then, for each 
I .newChild\i].label are the same. 



\I .pNode[i].label\ + l)th bit of I.oldChild[i].label and 



Proof: Let k be \I .pNode[i].label 
line created /. 

Case 1: / is created at line 30 



1. To prove the lemma, we consider different cases according to what 



31 Let ( -, p, node, -, -, -) be the result returned by the call to search(uaO 



on line [23] that precedes the creation of /. Let newNode be the new internal node that is created at line 27 Then, 
I.pNode[ff\ = p, I .oldChild[0] = node and I.newChild[0] = newNode. By Lemma [6] p.child[j] — node for 
some j at some time during search(waZ) and (jp.label) • j is a prefix of val. By Invariant l7j (p.label) ■ j is also a 
prefix of node.label. So, the fcth bits of node.label and val are j. Initially, the children of newNode are a new 
leaf node whose label is val and a new copy of node. Since [p.label) • j is a prefix of node.label and val, the fcth 
bit of newNode.label is j. 

Case 2: / is created at line 40 Let {gp. 



P, 



node. 



be the result returned by the call to search(i;aO on 



line [36] that precedes the creation of /. Let nodeSibling be the element of p.child that is read at line 38 Then, 
I.pNode[0] — gp, I .oldChild[0] ~ p and I .newChild[0] — nodeSibling. By Lemma[6j gp.child[j] — p for some 
j at some time during search(uaO. By Invariant [t] [gpdabel] • j is a prefix of p.label and p.label is a prefix of 
nodeSibling .label. So, fcth bits oi p.label and nodeSibling. label are j. 

Case 3: / is created at line 55 or 57 Let {gpd, Pd, nodcd, -, -, -) be the result returned by the call to seaTch(vald) 

■, Pi, nodei, -, -, -) be the result returned by the call to search(uaZi) 
newNodcj is the new internal node that is created at line 1531 Then, 



on line 
on line 



45] that precedes the creation of I and ( 
47]that precedes the creation of /. Then, 



I .pNode[0] = Pi, I .oldChild[0] — nodei and I .newChild[0] — newNodei. By the same argument as in Case 1, 
the lemma is true for fcth bit of nodei.label and new Nodei. label. Let nodeSiblingd be an element of pd. child 
that is read at line 38 Then, I.pNode[0] = gpd, I.oldChild[0] = pd and I.newChild[0] — nodeSiblingd. By the 
same argument as in Case 2, the lemma is true for fcth bit of pd.label and nodeSiblingd. label. 

Case 4: / is created at line 59 Let ( -, pi, nodci, -, -, -) be the result returned by the call to search(uaZi) on line 
47 that precedes the creation of /. Then, I .pN ode[0\ — Pi, I.oldChild[0] — nodci and I.newChild[0] is the new 
leaf node whose label is vak. By Lemma |6] pi.child[j] — nodei for some j at some time during search(i'a/j) and 
(pi.label) • j is a prefix of vak. By Invariant [t] (pi.label) • j is a prefix of nodei.label. 



Case 5: / is created at line 64 Let {gpd, Pd, nodcd, 
line 45 that precedes the creation of / and ( -, pi, nodci 



be the result returned by the call to search(i;aZrf) on 
be the result returned by the call to search(uaZi) 
on line [47] that precedes the creation of /. Then, newNodci is the new internal node that is created at line 62 
Then, I.pNode[0] — gpd, I .oldChild[0] = pd and I.newChild[0] = newNodci. Let nodeSiblingd be the child 
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of pd that is read at line 50 By Lemma |6] gpd-child[j] — pd for some j at some time during search(i'aZd)- By 
Invariant|7j [gpd-label) • j is a prefix of pd-label and pd-label is a prefix of nodeSiblingd-label. So, (gpd-label) ■ j 
is a prefix of node S Ming d -label and the fcth bit of pd-label is j. 

If the condition at Hn e[60| is true, by Lemmal6] {gpd-label)- j is a prefix of t;a/i (since pi = and nodei = p^)- 
If the condition at Hne |61| is true, by Lemma p] pi.label is a prefix of vali, so (gpd-label) • is a prefix of waZi 
(since pi = p^)- Initially, the children of newNodei are the new leaf node whose label is vali and nodeSiblingd- 
Since {gpd-label) • j is a prefix of nodeSiblingddabel and wa/;, the fcth bit of new N odei label is j. 



Case 6: / is created at line 70 Let {gpd, Pd, noded, -, -, -) be the result returned by the call to search(wa^£;) on line 



45 that precedes the creation of / and ( -,pi, nodei, -, -, -) be the result returned by the call to search(uaZi) on line 47 
that precedes the creation of /. Then, newChildi is the new internal node that is created at line |67] and newNodei 
is the new internal node that is created at linel69] Then, nodei — gpd, I.pNode[0] ~ pi, I .oldChild[0] — nodei and 



I .newChild[0] = newNodei. Let nodeSiblingd be the child of pd that is read at line 50 and pSiblingd be a child 
of gpd that is read at line 66 By Lemma[6j Pi.child[j] — nodei — gpd for some j at some time during search(wa^i). 



By Invariant [t] (pi.label) • j is a prefix of gpd-label, gpd-label is a prefix of pSiblingd-label and of pd-label and 
Pd-label is a prefix of nodeSiblingd- So, {pi-label) • j is a prefix of pSiblingd-label and nodeSiblingd-label, and 
the fcth bit of nodei-label is j. 

Initially, the children of newChildi are pSiblingd and nodeSiblingd- Since (pi-label) • j is a prefix of 
pSiblingd-label and nodeSiblingd-label, (pi.label) • j is a prefix of newChildi -label- By Lemma|6] (pi-label) ■ j 
is a prefix of vali- Initially, the children of newNodei are the new leaf node whose label is vak and newChildi- 
Since (pi-label) • j is a prefix of newChildi-label and vali, the fcth bit of new Nodei. label is j- ■ 

In the implementation, update operations might help one another to change the child fields of nodes by calling 
the help routine. So, there might be several CAS steps that try to change an element of the child field of some 
internal node from a value old to some value new. The following lemmas show that, as long as there is no ABA 
problem on the child field of an internal node, the first child CAS of / on I.pNode[i] succeeds and no subsequent 
ones succeed. 

Later we shall use these facts to prove inductively that there is no ABA problem on child fields. 

Lemma 30. Assut^ie that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Let I be a Flag object. Then, for each i, only the first child CAS of I on I .pNode[i] can succeed at T or 
before T. 

Proof: Let x — I.pNode[i] and old = I.oldChild[i]. Then, the child CAS of / on I.pNode[i] is of the form 
CAS(x. child[j], old, -) for some j. Let Tic be the time when the first child CAS of / on I.pNode[i] occurs. 
Suppose some other child CAS of / on I.pNode[i] occurs at Tc where Tic < Tc < T. We shall show the child 
CAS at Tc fails. 



By Observation 27 x.child[j] was old at some time before / was created (before Tic). If x.child[j] — old 



immediately before Tic, then the child CAS at Tic changes x.child[j] from old to a different value (by Lemma 28 1. 
Thus, just after Tic, x.child[j] ^ old. So, at Tic or some time before Tic, a child CAS of the form CAS(x .child[j], 
old, -) succeeds. By the assumption, x.child[j] is not changed back to old between Tic and T, so the child CAS 
at time Tc fails. ■ 
Let / be a Flag object. The following lemma shows that if the first child CAS of / on I.pNode[i] for some i 
occurs, no other child CAS changes the child fields of nodes in Fj between the time when the info fields of the 
nodes in Fj are read for the last time before / is created and the first child CAS of / on I.pNode[i]. 

Lemma 31. Assut^ie that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Let I be a Flag object, x — Lflag[i] and xinfo — LoldInfo[i] for some i. Suppose x.info = xinfo at time 
Ti and for some j, the first child CAS of I on TpNode[j] occurs at time T2 > Ti and T2 < T. Then, no child 
CAS of any other Flag object I' ^ I changes x. child between Ti and T2. 



Proof: By Lemma 30 for each fc, only the first child CAS of Flag object /' on I' .pNode[k] can succeed. 



Thus, if a child CAS of /' changes x. child, by Lemma 21 and 22 x.info = I' just before the CAS (since x £ Fj 



by Observation 24 1. By Lemma 25 x.info is either xinfo or / at all times between Ti and T2. By Lemma 12 
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xinfo is an Unflag object. Since / ^ I', x.info is never equal to /' between Ti and T2, so no child CAS of /' 
changes x. child between Ti and T2. ■ 

Lemma 32. Assut^ie that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Let I be a Flag object. Then, for each i, if the first child CAS of I on I .pNode[i] occurs before T, then it 
succeeds. 

Proof Let x = I.pNode[i], old = I.oldChild[i]. Then, the child CAS of / on I.pNode[i] is of the form 
CAS{x. child[j], old, -). Let Ti^ be the time when the first child CAS of / on I.pNode[i] occurs (before T). We 
prove that it succeeds. 



By Observation 24 x = I.pNode[i] S Fj. By Lemma 14 x.info = LoldInfo[i] at time Tq before / is created. 
By Observation 27 and Lemma |6] x.child[j] — old at some time between To and Tic. So, to prove the lemma, it 
suffices to show that no child CAS changes x.child[j] from old to another value between To and Tic. 

First, we argue that such a change cannot be made by a child CAS of / itself. This can only happen if / is 
created at line 55 or 57 and i — 1 and the child CAS of / at Tic is on I.pNode[l]. For this case, we must show 
that no child CAS of / on I.pNode[0] changes x.child[j] from old to another value: Since the condition at line|F] 
preceding the creation of / is true, LoldNode[0] ^ LoldNode[l]. If LpNode[0] = LpNode[l], the child CAS of 
/ on I.pNode[0] does not change x.child[j] from old to another value (since I.oldNode[0] 7^ old). 

By Lemma [3T| no child CAS of /' 7^ / changes x.child[j] between To and Tic. ■ 

Let / be a Flag object and x be an internal node in Fj — Uj. By Lemma [2T| and 22 x.info = I just before the 



first child CAS of /. If there is any child CAS of /, by Lemma 21 22 andG3] x.info = / at all times after the 



first child CAS of /. After the first child CAS of /, we say x is marked by I. (Thus, once a node is marked by /, 
it remains marked by I forever.) 

Now, we prove if an internal node becomes unreachable, it is marked after that. 

Lemma 33. Assut^ie that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Let I be a Flag object and x be an internal node. Consider a child CAS of I that succeeds at time T' (before 
T). If X is reachable immediately before T' and x becomes unreachable at T' , x is marked by I at all times after 

r. ' 



fine 23 36 



node, -, -, -) be the result returned by the call to search(waO on 
45 that precedes the creation of /. If / is created inside replace(waZ, vol'), let ( -, p' , node' , -, -, -) 



Proof: Let / be a Flag object. Let {gp, p. 
or 



be the result returned by the call to search(uaZ') on line 47 that precedes the creation of /. By Lemma 30 T' is 
the first child CAS of / on I.pNode[i] for some i. We consider different cases according to what line created /. 
For each case, we show that only nodes in T/ — [// could become unreachable immediately after T'. By Lemma 
21 22 and 23 any node in Fi — Ui is flagged by / at all times after T'. 

Case 1: / is created at line|30] Then, node is an internal node. Then, new Node is the new internal node created at 
line 27 whose non-empty children are a new leaf node and a new copy of node. In this case, ToldChild[0] = node 
and I.newChild[0] = newNode. Since node e T/, by Lemma 31 node.child is not changed between the time 
when node.info is read at line 25 and T'. Thus, just before T', the child field of the new copy of node is the same 
as node.child. The only internal node that could become unreachable at T' is node. In this case, node ^ Fj ~ Uj. 
By the definition, node is marked at all times after T'. 

Case 2: / is created at line 31 Then, node is a leaf node. In this case, FoldChild[Q\ — node is a leaf node, so 



no internal node becomes unreachable at T'. 

Case 3: / is created at line|40] Let nodeSibling be the element of p.child that is read at line 38 By Invariant |7] 
and Lemma[4] nodeSibling exists and is different from node. In this case, I .oldChild[0] = p and I .newChild[0] = 
nodeSibling. Since p e Fj, by Lemma 31 p.child is not changed between the time when p.info is read for the 
last time during search(uaO and T'. Since p is a parent of node during search(wa/) (by Lemma [6]l and p is a parent 
of nodeSibling at line 38 the children of p just before T' are node and nodeSibling. Since the operation does 
not return false at line 37 node is a leaf node. So, the only internal node that could become unreachable at T' is 
p. In this case, p E Fj — Ui . By the definition, node is marked at all times after T'. 
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Case 4: / is created at line |55] or |57] Then, newNodci is the new internal node that is created at line |53] If the 
first child CAS of / on I.pNode[0] occurs at time T', an element of p' .child is changed from node' to newNodci 
at T'. By the same argument as in Case 1 and 2, if node' is an internal node, node' is the only internal node that 
could become unreachable at T' and node' is marked at all times after T' . 



Let nodeSiblingd be an element of p. child that is read at line 50 If the first child CAS of / on I.pNode[l\ 



occurs at time T', an element of gp. child is changed from p to nodeSiblingd at T'. By the same argument as in 
Case 3, p is the only internal node that could become unreachable at T' and p is marked at all times after T' . 

Case 5: / is created at line 59 Then, I.oldChild[0] — node'. Since the operation does not return false at line 
46 node' is a leaf node. Since I.oldChild[0] is a leaf node, no internal node becomes unreachable at T'. 

Case 6: / is created at Une |64] Let nodeSiblingd be the element of p.child that is read at line |50] Then, 
newNodci is the new internal node created at line |62] whose children are a new leaf node and nodeSiblingd. 
By Invariant |7] and Lemma |4] nodeSiblingd exists and is not equal to node. In this case, I .oldChild[0] = p and 
I.newChild[0] — newNodci. By Lemma 31 since p E Fj, p.child is not changed between the time when p.info 
is read for the last time during search(?;aO and T'. Since node ^ nodeSibling, by Lemma [4] the children of p are 
node and nodeSibling just before T'. Since the operation does not return false at line [46] node is a leaf node. So, 
the only internal node that could become unreachable at T' is p. In this case, p G Fj — Uj. By the definition, p is 
marked at all times after T'. 



Case 7: / is created at line 70 Then, gp — node'. Let nodeSiblingd be the element of p.child that is read at 
line |50] and pSiblingd be the element of gp.child that is read at line [66] Then, newChildi is the new internal 
node created at line [67] whose children are nodeSiblingd and pSiblingd and newNodci is the new internal node 
created at line |69l whose children are a new leaf node and newChildi. In this case, I.oldChild[0] = gp and 



LnewChild[0] = newNodet. In this case, gp G Fj and p e Fi. By Lemma 31 gp.child is not changed between 
the time when gp.info is read for the last time during search(uaO and T' . By Lemma 31 p.child is not changed 
between the time when p.info is read for the last time during search(waO and T'. So, just before T', the children 
of gp are p and pSiblingd and the children of p are node and nodeSiblingd- Since the operation does not return 
false at line 46 node is a leaf node. So, the only internal nodes that become unreachable at T' are gp — node' and 
p. In this case, gp — node' and p are in Fj — Ui. By the definition, p and gp are marked at all times after T'. ■ 
The following corollary shows if an internal node is not marked, it has not become unreachable. 

Corollary 34. Assume that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value 
old after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

If an internal node x is not marked at time T' (before T) and x was reachable at some time before T' , then x 
is reachable at time T' . 

Now, we show that, for each i, I .oldChild[i] becomes unreachable just after the successful child CAS of / on 

I.pNode[i]. 

Lemma 35. Assume that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Let I be a Flag object. If the child CAS of I on I .pNode[i] succeeds at time T' (before T) for some i, 
I.oldChild[i] becomes unreachable just after T' . 



Proof: Let / be a Flag object. Let {gp, p, node, 
or 
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, -) be the result returned by the call to search(uaO on 
45 that precedes the creation of /. If / is created inside replace(wa/, vol'), let ( -, p' , node' , -, -, -) 



be the result returned by the call to search(uaZ') on line 47 that precedes the creation of /. By Lemma 30 T' is 
the first child CAS of / on I .pN ode[i]. We consider different cases according to what Une created /. 



Case 1: / is created at line [30[ or [3T] Let new Node be the new internal node created at line 27 whose non-empty 
children are a new leaf node and a new copy of node. By Invariant]?] node is not descendant of the new copy of node 
and hence is not a descendant of newNode. In this case, I .oldChild[Q\ = node and I .newChild[Q\ = newNode. 
Since p G Fi, p is a parent of node just before T' (by Lemma 31 1. Since p.info = I just before T' (by Lemma 



21 and 22 1, p is not marked just before T' and p is reachable just before T' (by Corollary 34 1. By Lemma [9] p 
is the only reachable parent of node just before T' . Since node is not a descendant of newNode, node becomes 
unreachable just after T' . 
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Case 2: / is created at line|40] Let nodeSibling be the element of p.child that is read at Hne 38 By Invariant |7] 
and Lemma|4] nodeSibling exists and is different from node. In this case, I .oldChild[Q\ = p and I .newChild[0] = 
nodeSibling. Since p and gp are in Fj, gp is a parent of p and p is a parent of node just before T' (by Lemma [3T]l. 



Since gp.info — I just before T' (by Lemma 21 and 22 1, gp is not marked just before T' and gp is reachable just 



before T' (by Corollary 34 1. Since gp is the reachable parent of p just before T', p is reachable just before T'. By 
Lemma [9] p is the only reachable parent of node just before T'. Since node is not a descendant of nodeSibling 
(by Invariant [7|, node becomes unreachable just after T'. 

Case 3: / is created at line [55] or [57] Let newNodci be the new internal node that is created at line [53] If the 
first child CAS of / on I .pN ode[{)\ occurs at time T', an element of p' .child is changed from node' to newNode.i 
at T' . By the same argument as in Case 1, node' becomes unreachable just after T' . 



Case 4 
node 



Let nodeSibling^i be an element of p.child that is read at line 50 If the first child CAS of / on I .pN ode[l\ 
occurs at time T' , an element of gp. child is changed from p to nodeSiblingd at T'. By the same argument as in 
Case 2, node becomes unreachable just after T'. 

s created at line 59 Then, node — node', I.oldChild[0] — node' and I .newC hild[0] is a new leaf 
Since p e Fj, p is a parent of node = node' just before T' (by Lemm a [6] and [sTji. Since p.info = I just 
before T' (by Lemma 21 and 22 1, p is reachable just before T' (by Corollary 34 1. Since I .newChild[0] is a leaf 
node and p is the only reachable parent of node — node' just before T' (by Lemma |9]l, node' becomes unreachable 
just after T'. 



Case 5: / is created at line 64 Let nodeSiblingd be the element of p.child that is read at line[50[ Let newNodci 
be the new internal node created at line 62 whose children are a new leaf node and nodeSiblingd. By Invariant [7] 
and Lemma[4j nodeSiblingd exists and is not equal to node. In this case, I .oldChild[0] ~ p and I .newChild[0] — 
newNodci. By Invariant |7] p is not a descendant of nodeSiblingd and hence is not a descendant of newNodCi. 
Since gp E Fj, gp is a parent of p just before T' (by Lemma 31 1. Since gp.info = I just before T' (by Lemma 
21 and 22 1, gp is not marked just before T' and gp is reachable just before T' (by Corollary 34 1. By Lemma [9] gp 
is the only reachable parent of p just before T' . Since p is not a descendant of newNodci, p becomes unreachable 
just after T' 

Then, gp — node'. Let nodeSiblingd 



Case 6: / is created at line 70 



be the element of p.child that is read 
at line [50] and pSiblingd be the element of gp.child that is read at line [66] Let newChildi be the new internal 
node created at line [67] whose children are nodeSiblingd and pSiblingd. Let newNodci be the new internal node 



created at line 69 whose children are a new leaf node and newChildi. In this case, LoldChild[0] — gp and 
I .newChildlO] = newNodCi. By Invariant ]7] gp is not a descendant of nodeSiblingd, pSiblingd, newChildi or 



newNodci. Since p' e Fj, p' is a parent of node' ~ gp just before T' (by Lemma 31 1. Since p'.info = I just 



before T' (by Lemma 21 and 22 1, p' is not marked just before T' and p' is reachable just before T' (by Corollary 
34 1. By Lemma ]9] p' is the only reachable parent of node' = gp just before T'. Since gp is not a descendant of 
newNodci, gp becomes unreachable just after T' . ■ 
We say that the search operation visits the node that gets stored in node when the search performs line 78 or 82 



The following lemma shows that a search operation does not visit a node that was unreachable at aU times during 
the operation. 

Lemma 36. Assume that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Assume a search operation visits a node xChild ^ root by reading xChild in the child field of some node 
pNode before T. Then, there is a time after the search operation begins and before the search operation visits 
xChild that pNode is reachable and a parent of xChild. 

Proof: We prove the lemma by induction on the number of steps that the search operation has done. Let T' 
be a time that the search operation visits a node xChild (before T). We assume the lemma is true for all nodes 
visited before T' . Now, we show that the lemma is true for xChild. Then, xChild is visited on line[82|at time T. 
First, we show that pNode is visited earlier during the operation. 



If xChild is visited at line 82 pNode is visited earlier at line 78 or at line 82 during the previous loop iteration. 
Thus, pNode is visited at some time during the search operation before time T' . So, pNode was reachable at some 
time T" after the search operation begins and before the search operation visited pNode. If xChild was a child 
of pNode at T" , the lemma is proved. 
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Otherwise, an element of pNode. child is set to xChild at some later time between T" and T' . Thus, a child 
CAS sets an element of pNode.child to xChild between T" and T' . Let / be a Flag object such that a child CAS 
of / sets an element of pNode.child to xChild between T" and T' . By Lemma 32 the first child CAS of / on 
pNode succeeds between T" and T' . By Observation 24 pNode £ Fj. By Corollary 21 and 22 pNode.info = I 
just before the child CAS of / between T" and T'. By Observation 24 pNode e Ui. So, pNode is not marked 



just before the child CAS of /. Since pNode was reachable at T", by Corollary 34 pNode is still reachable just 
before the child CAS of /. So, pNode is reachable and a parent of xChild just after the child CAS of / between 
T" and T'. ■ 
Now, we show, after a node becomes unreachable, the node does not become reachable again. 

Lemma 37. Assume that before some time T, for all internal nodes y, no child CAS sets y.child[k] to a value old 
after a child CAS of the form CAS(y.child[k], old, -) succeeds. 

Let X be a Node object. If, after x is reachable, x becomes unreachable at time T' (before T), x does not become 
reachable again between T' and T. 

Proof To derive a contradiction, assume the lemma is false. Let T" (before T) be the first time it is violated 
and X be the highest node in the tree at T" that violates the lemma. Let T' be the time that x becomes unreachable 
before T" . So, x becomes reachable when a child CAS is performed at T" . We have two different cases. 

Case 1: a child CAS of some Flag object / sets an element of a child field to x at T" . If / and x are created in 
the same loop iteration of an update operation, x is not reachable at any time before T" . So, / is created at line 
40 55 or 57 Let {gpd, Pd, -, -, -, -) be the result returned by the call to the search operation on Une 36 or 45 
that precedes the creation of /. If / is created at line 40 I.newChild[0] — x and if / is created at line 55 or 57 



I .newChild[l] = x. Then, x is read as a child of pd at line 38 or[50]and an element of gpd.child is set to x at 
T". By Observation I24) gpd e Fi and gpd e Ui. 



By Lemma 32 the first child CAS of / on gpd succeeds at T' 
T" . Since gpd is not marked just before T" and gpd was reachable during the search operation by Lemma [36 



By Lemma |2T| and |22| gpd.info = / just before 

gPd 



is reachable just before T by Corollary 34 Since pd was a child of gpd during the search operation (by Lemma 
|6|, Pd is a child of gpd just before T" (by Lemma 31 1. Since gpd is reachable just before T", pd is reachable just 
before T". By Lemma 31 since pd e Fj, p.child is not changed between the time when p.info was read for the 
last time during the search operation and T". Since x was a child of pd at line 38 or 50 x is still a child of pd 



just before T". Since pd is reachable just before T", x is reachable just before T", contradicting the fact that x 
becomes reachable at T" for the first time after T' . 

Case 2: the child CAS of some Flag object / sets an element of a child field to a proper ancestor anc of x at 
T" . Since x is not reachable just before T", anc is also not reachable just before T". Since x is the highest node 



that violates the lemma at T", anc is not reachable at any time before T". So, anc is created at line 121 inside 
createNode that is called at line |27] |53] |62] or |69] prior to the creation of /. We consider different cases depending 
on what line calls createNode that created anc. 

Let 



Case 2A: anc is created at line 121 



which is called from line 27 
or 



or 



521 and the leaf node that is created at line |27 
or 



returned by the call to the search operation on line 23 
initially are a new copy of nodti that is created at line 26 

Since x was reachable before T', x is not created at line 261 |27J 152] or 153] that precedes the creation of /. So, x is 



or 



53 



Pi, nodci, -, -, -) be the result 
47] that precedes the creation of /. The children of anc 

53 



or 



not a child of anc just before T . Since anc is an ancestor of x just before T , a child of anc is an internal node 
just before T". So, nodci is an internal node and a; is a descendant of a new copy of nodci just before T". So, 
/ is created at line 30 or 55 Since nodci E Fj, nodci. child is equal to the child field of the new copy of node.i 
just before T" (by Lemma 31 1. So, x is also a proper descendant of nodci just before T" . Let nodeChild be a 
child of nodci at line 26 or 52 such that a; is a descendant of nodeChild just before T". 

Since pi.info = I just before T" (by Lemma 21 and 22 1, pi is not marked just 



By Observation 24 
before T 



Pi 



F, 



Since pi was reachable during the search operation (by Lemma 36 1, pi is reachable just before T" by 
Corollary 34 By Lemma [6] pi is a parent of nodci at some time during the search operation before T". Since pi is 
a parent of nodci just before T" (by Lemma 31 1 and pi is reachable just before T", nodci is reachable just before 

nodeChild is a child of 



T". Since nodci. child is not changed between line 26 
nodci just before T" . Since nodci is reachable just before T", nodeChild is reachable just before T' 



52 and T" (by Lemma 31 



Since x is 



24 



a descendant of nodeChild just before T" , 
at T" for the first time after T' . 



X is reachable just before T" , contradicting that x becomes reachable 



Case 2B: anc is created at line 121 which is called from line 62 Then, / is created at line 64 Let {gpd, Pd, 
noded, -, -, -) be the result returned by the call to search(waZc;) on line 45 that precedes the creation of /. Let 



nodeSiblingd be the node that is read from pd-child at line 50 The children of anc initially are nodeSiblingd and 



the leaf node that is created at line 62 Since x was reachable before T', a; is not created at line 62 that precedes 
the creation of /. Since anc is an ancestor of x just before T", x is a descendant of nodeSiblingd just before T". 

In this case, gpd G Fj and pd € Fj. By Observation 24 gpd G Uj. Since gpd-info ~ I just before T" (by 
Lemma 



Lemma 



By Observation 24 
21 and |22|i, gpd is not marked just before T" 



Since gpd was reachable during the search operation (by 



36 1, gpd is reachable just before T" (by Corollary 34 1. By Lemma [6] gpd is a parent of pd at some time 



during the search operation. So, gpd is a parent of pd just before T" (by Lemma 31 1. Since gpd is reachable just 



before T", pd is reachable just before T". By Lemma 31 nodeSiblingd is a child of pd just before T". Since pd 
is reachable just before T", nodeSiblingd is reachable just before T". Since a; is a descendant of nodeSiblingd 
just before T", x is reachable just before T", contradicting that x becomes reachable at T" for the first time after 

r. 

Case 2C: anc is created at line 69 Then, / is created at line 70 Let {gpd, Pd, nodcd, -, -, -) be the result 
returned by the call to search(uaZd) on line 45 that precedes the creation of / and ( -, pi, nodci, -, -, -) be the result 
returned by the call to seaich{vali) on line 47 that precedes the creation of /. Let nodeSiblingd be the child of 



Pd that is read at line [50| and pSiblingd be the child of gpd that is read at line|66] Let newChildi be the internal 
node that is created at line 67 Initially, the children of newChildi are nodeSiblingd and pSiblingd- The children 
of anc initially are newChildi and the leaf node that is created at line 69 Since x was reachable before T', x is 



not created at line 


67 


or 


69 


not created at line 


67 


or 


69 



that precedes the creation of /. Since anc is an ancestor of x just before T" and x is 
x is a descendant of nodeSiblingd or of pSiblingd just before T". 
In this case, nodci ~ gpd- Since / is created at line 70 by the pseudo-code, Fj = {pt, gpd,Pd}- Since pi.info = I 
just before T" (by Lemma 21 and 22 1, pi is not marked just before T" . Since Pi was reachable during the search 
operation (by Lemma 36 1, pi is reachable just before T" by Corollary 34 By Lemma [6] and |3T| pi is a parent of 
nodci = gpd just before T" and gpd is a parent of pd just before T" . Since pi is reachable just before T" , gpd 
and Pd are reachable just before T" . By Lemma 31 nodeSiblingd is a child of pd just before T" and pSiblingd 
is a child of gpd just before T" . Since pd and gpd are reachable just before T", nodeSiblingd and pSiblingd are 
reachable just before T" . Since a; is a descendant of nodeSiblingd or of pSiblingd just before T", x is reachable 
just before T", contradicting that x becomes reachable at T" for the first time after T' . ■ 
Now, we show that the ABA problem on the child field of internal nodes is avoided. 

Lemma 38. Let x and y be internal nodes. After a child CAS of the form CAS(x.child[i], old, -) succeeds, no 
child CAS sets y.child[j] to old. 

Proof: To derive a contradiction, assume the lemma is violated for the first time at T. Let / be a Flag object 
such that the first child CAS of / of the form CAS(x. child[i], -, old) succeeds at T and let /' be a Flag object 
such that the first child CAS of /' of the form CAS{y.child[j], old, -) succeeds at some earlier time T'. 

Since the child CAS of /' changes y.child[j] from old to other value at T', y.child[j] = old just before T' . By 
y G F]. Since y.info = I' just before T' (by Lemma 21 and 22 1, y is not marked just before T' . 



Observation 24 



By Lemma 36 y was reachable at some earlier time. So, y is reachable just before T' (by Corollary 34 1. Since old 
is a child y just before T', old is reachable just before T'. 

or 



If old is created at line 27 53 59 62 



69 that precedes the creation of /, old could not become reachable 
before the child CAS of / at T. So, old and / are not created in the same loop iteration of an update operation. 

40 55 or 57 Let {gpd, Pd, nodcd, -, -, -) be the result returned by the call to the search 
that precedes the creation of /. Then, x = gpd and old is read as a child of pd at line 38 



Thus, / is created at line 



operation at line 36 
or 



45 



50 Since gpd G Fj, gpd-info 



I just before T (by Lemma 21 and 22 1. So, gpd is not marked just before T. 

gpd was a parent 



By Lemma |6] gpd was a parent of pd at some time during the search operation. By Lemma 3 1 



of Pd just before T. Since gpd is reachable just before T, pd is reachable just before T. By Lemma 31 old is a 
child of Pd just before T. Since pd is reachable just before T, old is reachable just before T. By Lemma 35 old 



becomes unreachable just after T' (before T), contradicting Lemma 37 
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Since there is no ABA problem on the child field of nodes, Corollary 34 and Lemma 30 31 32 33 35 36 and 



37 which we proved earlier with the assumption that there is no ABA on the child fields of nodes is true without 
the assumption. 

By Lemma |2T| |22] |32] and [38] we have the following corollary. 



Corollary 39. Let I be a Flag object and x G Fj. Then, x.info = I when a successful child CAS of I occurs. 

D. Correctness of the Search Operation 

In this section, we first show the post-conditions of the search operation are satisfied. Then, we show how to 
linearize search operations that terminate. 

Let / be a Flag object that is created at li ne [SS] or [57] Then, the number of elements of I.pNode, I.oldChild 
and I .newChild is two and, by Observation |26[ I .rmvLeaf is set to a non-empty leaf node. By Observation 26 



I .rmvLeaf is flagged at line 95 before the first child CAS of / at line 98 Any time after the first child CAS of /, 
we say I.rmvLeaf is logically removed. The following lemma shows that after a leaf node is flagged by a Flag 
object, the leaf node is not flagged by another Flag object. 



Lemma 40. Let I be a Flag object that is created at line 55 or 57 If I .rmvLeaf .info is set to I by line 95 at 
time T, I .rmvLeaf .info is not set to another Flag object I' ^ I before T. 



Proof: Let {gpd, Pd, noded, -, -, rmvdd) be the result returned by the call to search(va^d) on line 45 that 
precedes the creation of /. Then, I .rmvLeaf = noded. First, we show the following claim. 

and {gp';^. 



Claim: Let /" be a Flag object that is created at line |55 
call to search(i;a^[j') on line 



45 



or 



57 



be the result returned by the 



that precedes the creation of / . 
If all nodes in F" get flagged successfully, p'J is reachable at all times between the time when p''^ was reachable 
during search(wa/^') and the first child CAS of /". 

gp'li is reachable at some time during 



55 



or 



57 



gp'li e Fin . By Lemma 



36 



Proof of Claim. Since / is created at line 
search(wa/^')- Since gp'^.info ~ I" just before the first child CAS of /" (by Corollary 39 1, gp'^ is not marked just 
before the first child CAS of /". So, gp'^ is reachable just before die first child CAS of /" (by Corollary [34|. By 
Lemma |6] gp'^ was a parent of p'J at some time during the search operation. By Lemma 3 1 gp'^ is a parent of p'J 
just before the first child CAS of /". Since gp'^ is reachable just before the fist child CAS of /", p'^ is reachable 
just before the first child CAS of /". By Lemma 37 p'^ is reachable at all times between the time when p'^ was 
reachable during search(uaZ2) and the first child CAS of /". This completes the proof of the claim. 



Let T' be the time when search(wa^d) reads noded.info on line 84 First, we show noded-info is not set to 



a Flag object at any time before T'. Then, we show noded.info is not set to a Flag object /' 7^ / at any time 
between T' and T. 



If noded.info is an Unflag object at T', by Observation 26 noded.info is not set to a Flag object at any 
time before T'. We show that noded.info is an Unflag object at time T' . We prove it by contradiction. Assume 
noded.info is some Flag /' at T'. Let ( -, p'^, noded, -, -, -) be the result returned by the call to search(wa/^) 



on line 45 that precedes the creation of /'. Since the replace operation that creates / does not return false at the 
execution of line 46 that precedes the creation of /, rmvdd is false. Since rmvdd = false and noded.info = /' 



at line 84 I' .pNode[0\ was a parent of I' .oldChild[Q] at line 124 during search(uaZd)- By Lemma 32 and 38 



child CAS of /' on I' .pN ode[()\ occurs before T' . By Observation 26 all nodes in F// are flagged by /' before 
T by Lemma |22] 

By the claim, is reachable just before T' . Since pd.info is set to / after seaich(vald) and before the first 
child CAS of / by CoroUaryflag-node-before-child-cas-col. So, pd.info is read for the last time during search(wa/ci) 



before T' and pd.info is changed from that value to / after T'. By Lemma 15 and 12 pd.info is an Unflag object 
at T'. Since p'^^.info = I' at T' and pd.info is an Unflag object at T', pd ^ p'd- Then, by Lemma|6]and 31 



Pd 



a parent of noded and pd was a parent of noded just before T' and, by the claim, p'^ and pd are both reachable just 
before T', contradicting Lemma |9] (since pd ^ p'^). Thus, noded.info is an Unflag object at T' and, by Observation 
26 noded.info is not set to a Flag object at any time before T' . 

Now, we show that noded.info is not set to some Flag object I' ^ I between T' and T. Let ( -, p^, noded, 



-, -, -) be the result returned by the call to search(wa/^) on line 45 that precedes the creation of /'. By Lemma 
[6] and 31 pd was a parent of noded at all times between T' and T. By the claim, pd is reachable at all times 



26 



between T' and T. If nodcd-info is set to /' between T' and T, by Lemma |6] and 31 p'^ was a parent of nodcd 
just before nodcd-info is set to /' and, by the claim, p'^ is reachable just before nodcd-info is set to /'. So, by 
Lemma |9] 



26 



and Lemma 



22 



Pd-info — I' just before 



p'^. In this case, pd = p'd ^ Fj>. Thus, by Observation 
noded-info is set to /' between T' and T. By Lemma 25 pd-info ^ V at all times between T' and T. Thus, 
nodcd-in] o is not set to some Flag object /' between T' and T. ■ 
Next, we have the following lemma that shows when a leaf node is logically removed, other operations see that 
it is removed using the m/o field of the leaf node. 



Lemma 41. Let 1 he a Flag object that is created at line 55 or^T^ I .rmvLeaf is logically removed if and only 
if I. rmv Leaf .info = / and L.pNode[()\ is not a parent of I .oldChild[0]. 

Proof First, we show that L .rmv Leaf .info ~ I and L.pNode[Q] is not a parent of L .oldChild[{)\ if 
I.rmvLeaf is logically removed. Let T be the time when the first child CAS of / is executed. By definition, 
I.rmvLeaf is logically removed at all times after T. By Observation 26 I.rmvLeaf .info is set to / before 
T. By Lemma 40 LrmvLeaf.info — I at all times after that. By Lemma [32] and [38] the first child CAS 



LrmvLeaf.info — L at 
of I successfully changes I.pNode[0].child[i 

I.oldChild[0] ^ LnewChild[0]. By Lemma [38] I.pNode[0] is not 



1 times after that. By 

from I.oldChild[Q] to L.newChild[0] at T. By Lemma 

parent of L.oldChild[Q] after T. Th^, 



at all times after time T, L .rmv Leaf .info — I and I.pNode[0\ is not a parent of I .oldChild[0\. 

Now, we show that I.rmvLeaf is logically removed if LrmvLeaf.info = I and I.pNode[Q] is not a parent of 
I.oldChild[0]. Suppose LrmvLeaf.info = I and I.pNode[0] is not a parent of I.oldChild[0] at some time T. 
Then / was created before T, and during the search that precedes the creation of /, I.oldChild[0] was a child of 
I.pNode[0] Thus, some child CAS changed I.pNode[Q].child[i] from I.oldChild[0] to a different value before T. 
We argue that this must have been a child CAS of /, which means that I.rmvLeaf is logically removed at time 
T. Let ( -, Pi, nodei, -, -, -) be the result returned by the call to the search operation on line 47 that precedes the 
creation of /. Then, I.pNode[0] = pi, I.oldChild[0] = nodei and pi e Fj by Observation 24 By Lemma 31 no 



child CAS of another Flag object I' ^ I changes pi.child between the time when pi.info is read for the last time 
during the search operation that precedes the creation of /. ■ 

Definition 42. A node is logically in the trie at time T if the node is reachable at T and the node is not logically 
removed at T. 

Here, we show when the search operation terminates, all post-conditions of the search operation are satisfied. 

Lemma 43. Each call to the search operation that terminates satisfies its post-conditions. 

Proof: Assume search(wa/) returns {gp, p, node, gplnfo, pinfo, rmvd). Lemma |6] shows the first four 
post-conditions of the search operation are satisfied. We prove the last two here. 



If rmvd is true, we prove that node is logically removed at line 124 Let / be the value of node.info at 
line [84] If rmvd is set to true at line 84 node is a leaf node whose info field is a Flag object at line 84 and 
node.inf o.pN ode[0\ is not a parent of node.info.oldChild[0] at line 124 By Lemma 40 node.info = I at all 
node is logically removed at line |124| by Lemma 41 



times after line [84] Thus, 

If rmvd is false, we prove that node is logically in the trie at some time during the search operation. By Lemma 
36 node is reachable at some time T between the beginning of the search and the time the search visits node. If 
node is an internal node, then it is logically in the trie at T. Otherwise, node is a leaf node. Since rmvd is false, 
line 123 or 124 returns false. If line 123 returns false, then when node.info is read on line 84 it is not flagged. 



This occurs after node is visited at line 82 and therefore after T. By Observation 26 node is not flagged at T, so 
node is logically in the trie at T by Lemma 41 If line 124| returns false, then node = I.rmvLeaf (since the test 
at line 123 failed) and I.pNode[0] is a parent of I.oldChild[0] at line 124 By Lemma 41 node is not logically 



removed at line 124 Therefore, node is not logically removed at L. 



Lemma 44. Assume search(val) returns ( -, -, node, -, -, rmvd). If node is not a leaf node whose label is val, 
or rmvd is true, there is a time during the search operation when no leaf node whose label is val is logically in 
the trie. 

Proof: First, consider the case where node is not a leaf node whose label is val. Let p be the last internal 
node visited by search(tiaO such that p. label is a prefix of val. Let i be the index such that {p.label).i is a prefix 
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of val. Let x be the child of p that the search operation visits. By definition of p, x is not a leaf node whose label 
is val. By Lemma 36 there is a time during search(wa/) that p.child[i] — x and p and x are both reachable. By 
Invariant [t] at that time, no leaf node whose label is val is reachable. 



Now, consider the case where node is a leaf node whose label is val and rmvd is true. By Lemma 43 node is 



logically removed at some time during search(uaO. Let T be the first time that node is logically removed. Then, 



the search operation executes line 124 after T. By Lemma 41 node.in fo is a Flag object / at T. Then, / is created 
at Une 55 or 57 Let p be the second last node visited by search(uaZ). By Lemma 36 there is a time T' during 
search(waO that p.child[i] = node and p and node are both reachable. At T', no other leaf node whose label is 
val is reachable by Invariant |7] We consider two cases. 

Case 1: T is before T'. Since node is logically removed at all times after T, node is logically removed at T' . 
So, no leaf node whose label is val is logically in the trie at T' . 

Case 2: T is between T' and the time when the search operation executes line 124 By the definition, the first 
child CAS of / is performed at T. By Lemma 40 node.info = / at all times after T. Let {gpd, Pd, noded, -, -, 
-) be the result returned by the call to the search operation on line 45 that precedes the creation of / and (-, pi, 
nodei, -, -, -) be the result returned by the call to the search operation on line 47 that precedes the creation of /. 



By the pseudo-code and Observation [26] I .rmvLeaf — noded = node 

or 



57 Pd £ Fj — Ui and gpd G Fj. By Corollary 39 pd.info — I and gpd.info = I 



31 



Since / is created at line 55 

just before T. By Lemma |6]and 31 gpd.child[igp] — pd and pd-child[ip] — node just before T for some 
and ip. Since gpd S Fj and gpd was reachable at some time during the search operation by Lemma 36 gpd, Pd 
and node are reachable just before T by Corollary 34 By the pseudo-code, pi.child is changed at T. Now, we 



show that gpd.child[igp] and pd.child[ip] are not changed at T. In this case, since pd ^ nodei, gpd.child[igp] is 
not changed from pd to other value at T. Also, since pd ^ Pi, Pd-child[ip] is not changed at T. So, just after T, 
gpd.child[igp] = pd and pd.child[ip] = node and gpd is reachable since gpd ^ Fj — Uj. By Invariant |7] no other 
leaf node whose label is val is reachable just after T. Since node is logically removed at T, no leaf node whose 
label is val is logically in the trie just after T. ■ 
Now, we define a set that represents all non-empty leaf nodes that are logically in the trie at the same time. 

Definition 45. We define the set activeValues at time T to be the set of all values contained in leaf nodes that 
are logically in the trie at time T. 

Since the children of root are initially two leaf nodes whose labels are 00. ..0 and 11. ..1, activeValues is initially 
{00. ..0, 11. ..1}. By the definition of logically in the trie, activeValues can be changed only by successful child 
CAS steps. 

A find(i;aO operation that returns true executes a search(waZ) that returns ( -, -, node, -, -, rmvd) where node 
is a leaf node whose label is val and rmvd is false. By the last post-condition of search, there is a time during 
the search when node is logically in the trie, so val £ activeValues at that time. This is the linearization point of 
search(waZ) and find(waZ) that returns true. 

A find(waO operation that returns false executes a search(tiaO that returns ( -, -, node, -, -, -) where node is not 



a leaf node whose label is val, or rmvd is true. By Lemma 44 there is a time during the search when no leaf 
node whose label is val is logically in the trie, so val ^ activeValues at that time. This is the linearization point 
of search(waO and find(wa/) that returns false. 



E. Correctness of Update Operations 

In this section, we show that the update operations behave correctly. First, we show that if a child CAS of an 
update is performed, the operation returns true. 

Lemma 46. // an update operation creates a Flag object I and a child CAS of I is performed, then the update 
operation returns true (unless it crashes). 

Proof: Let op be the update operation that created /. Assume that, a child CAS of / on FpNode[i] is performed 
and op does not crash. We show that op returns true. After creating /, op calls help(/) at line [32] [4T]o r [TT] There 
are two different cases inside help(/) depending on the value of the doChildC AS variable at line [93[ 
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Case 1: doChildCAS is true at line|93] So, op sets I.flagDone to true at line 94 By Observation 19 I.flagDone 



is not set to false after that. Since I .flagDone is true at line[99j the call to help(/) by op returns true at line 102 
So, op returns true just after help(/) returns. 



Case 2: op sets doChildC AS to false on line 91 at time T. So, node.info 7^ / at T for some node e F/. Before 
T, op tries to set node.info to / using a flag CAS of /. So, the first flag CAS of / on node is executed before T. 



By Corollary 39 and Lemma [161 this first flag CAS of / on node succeeds before T. Since node.info 7^ / at T, 



node.info is set to / and, then changed from / to some other value before T. By Lemma 22 a child CAS of / 



is performed before T. By Observation 20 I.flagDone is set to true before T. By Observation 19 I .flagDone 



is not set to false after that. Since I .flagDone is true at line 99 the call to help(/) by op returns true at line 102 
So, op returns true just after help(/) returns. I 



By Lemma 46 we have the following corollary. 



Corollary 47. Let I be a Flag object that is created by an update operation. If the update operation returns false, 
there is no child CAS of I. 

During each loop iteration of an update operation, the update operation might create a new Flag object /. The 
following lemma shows if the update operation begins the next iteration of the loop, no child CAS of / succeeds. 

Lemma 48. Let I be a Flag object that is created during a loop iteration of an update operation. If the update 
operation begins the next iteration of the loop, no child CAS of I is ever performed. 

Proof: Assume that an update operation op creates a Flag object / during a loop iteration and begins the next 

Since op does not return true at the 



iteration of the loop. After creating /, op calls help(/) at line 32 41 or 71 



end of the loop iteration after help(/) returns, help(/) returns false. By Lemma |46| there is no child CAS of /. ■ 
Let / be a Flag object that is created at line [55] or 57 Since the condition at Une|F|that precedes the creation of 
/ is satisfied, I.oldChild[0] ^ I.oldChild[l]. So, by Lemma 38 we have the following Corollary. 



Corollary 49. Let I be a Flag object in which I.pNode has two elements. Then, the child CAS of I on I.pNode[0\ 
and I .pNode[l] cannot succeed on the same location. 



Lemma 50. Let I be a Flag object that is created at line 59 Let 

nodei, -, - 



the call to search(vald) on line 45 and 



Pd, 



node,! 



be the result returned by 



Pi. 



-, -) be the result returned by the call to search(vali) on 
line p7| that precedes the creation of I. Then, if there is a successful child CAS of I at time T, pd = Pi- 



Proof: In this case, nodei — node^. By Lemma 30 T is the first child CAS of /. By Lemma |6] and 31 



Pd 

was a parent of noded at all times between the time when search(i;a^rf) reads pd.info and T. Since pd € Fj, by 



Corollary 39 pd.info 



I just before T. By Lemma 36 pd was reachable at some time during sesrch(vald). By 

Pd is 



Lemma 25 pd is not marked between the time when ssaich(vald) reads pd-info and T. By Corollary 34 



reachable at all times between the time when search(tia^d) returns and T. By Lemma 36 there is a time during 
search(wa/i) that pi is a parent of nodei = noded and Pi is reachable. So, at that time, pd and Pi are both parent 
of node and both reachable. By Lemma |9] Pi ~ pd- ■ 

Lemma 51. Consider a Flag object I. Let {gp, p, node, gplnfo, pinfo, -) be the result returned by the call to 
search(val) on line 23 36 45 that precedes the creation of I. If I is created by a replace operation, let {-, pi, 
nodei, -, pinfoi, -) be the result returned by the call to search(vali) on line 47 that precedes the creation of I. 
Then, if there is a successful child CAS of I on I.pNode^] at time T, 

• p and node are reachable just before T, and 

• Pi and nodei are reachable just before T (if I is created by a replace operation). 

Proof: To prove the lemma, first we show p and node are reachable just before T. Since / is created by an 
update operation, p ^ Fj and T is the first child CAS of / by Lemma 32 By Corollary 39 p.info — I just before 



T. By Lemma 36 p was reachable at some time during search(uaO. Since p is not marked before T, by Corollary 
34 p is reachable just before T. By Lemma |6j p is a parent of node at some time during search(wa/). By the 
pseudo-code, p £ Fj. By Lemma 31 p is a parent of node just before T. Since p is reachable just before T, node 
is also reachable just before T. 
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For the rest of the proof, assume / is created by a replace operation. Now, we show pi and nodci are reachable 
just before T. If / is created at line 59 by Lemma 50 p = pi and pi £ Fj. 
a replace operation, by the pseudo-code, pi E Fj. 



By Corollai-y 39 



Pt 



was reachable at some time during search(uaZi). Since pi is not marked before T, by Corollary 34 



just before T. By Lemma |6j pi is a parent of nodei at some time during search(i;a^i). By Lemma 31 
of nodci just before T since pi E Fj. Since pi is reachable just before T, nodci is also reachable just before T 



If / is created at any other line inside 
info = I just before T. By Lemma 36 pi 

Pi is reachable 
Pi is a parent 



Lemma 52. Let I be a Flag object that is created at line 55 or 57 and {gpd, Pd, nodcd, -, -, -) be the result 
returned by the call to search(vald) on line 45 that precedes the creation of I. Then, if there are a successful child 
CAS of I on I.pNode[Q\ at T and a successful child CAS of I on I.pNode[[\ at T', pd and noded are reachable 
at all times between T and T' and pd and noded become unreachable immediately after T'. 



Proof: First, we show that pd and noded are reachable at all times between T and T'. By Lemma 51 and 51 
noded and pd are reachable just before T. In this case, gpd and pd are in Fj. By Lemma |6] gpd is a parent of pd 
at some time during seaich{vald) and pd is a parent of noded at some time during seaich{vald)- By Lemma 31 



and Corollary 49 gpd is a parent of pd and pd is a parent of noded just before T' (since pi ^ pd). By Corollary 
39 and Lemma 22 gpd-info = I just before T' and gpd is not marked just before T'. By Corollary 34 gpd is 
reachable just before T'. So, pd and noded are reachable just before T' . Thus, by Lemma 37 pd and noded are 
reachable at all times between T and T' . 

Now, we show that pd and noded become unreachable immediately after T'. By Lemma 35 
unreachable at T'. By Lemma [9j pd is the only reachable parent of noded just before T'. Thus 
becomes unreachable at T' . 



Pd becomes 
noded also 



Lemma 53. Consider a Flag object I. Let ( -, p, node, -, pinfo, rmvd) be the result returned by the call to the 
search operation on line [25] [56] or [45| that precedes the creation of I. If the first successful child CAS of I is at 
time T, then node is logically in the trie just before T. 



node is reachable just before T. We show that node is not logically removed at any 



Proof: By Lemma 51 
time before T. 

To derive a contradiction, assume node becomes logically removed at T' before T. Let I' ^ I he the Flag object 
such that node is logically removed by the first child CAS of /' at T' . Then, /' is created at line 55 or 57 Let ( -, 
Pi, nodei, -, -, -,-,-) be the result returned by the call to the search operation on line 45 that precedes the creation 
of /'. Since I' .rmvLeaf is set to nodei, node = nodei. Since node and pi become unreachable immediately after 



the successful child CAS of /' on F .pNode[l\ (by Lemma 52 1, node and pi do not become reachable after that 
(by Lemma [37 



But, node and pi are reachable just before T (by Lemma [51] and 51 



of /' on F .pNode[l] does not occur before T. By Lemma 31 and Corollary 49 



Pi 



so the successful child CAS 
is a parent of node just before 



T (since T is between the first child CAS of /' on F.pNode[0] and the first child CAS of /' on F.pNode[l]). By 
Lemma [6| and 31 p is a parent of node just before T. By Lemma 51 p is reachable just before T. By Lemma [9] 
Pi = p (since both p and pi are reachable parents of node just before F). Since /' is created at line 55 or [57] by 
the pseudo-code, p ~ pi E Fji. By Corollary 39 p.info = /' just before T (that is between the first child CAS of 



/' on F .pNode[Q] and the first child CAS of /' on F .pNode[l]), contradicting the fact that p.info = I ^ F just 



before F by Lemma 25 



1 ) Correctness of the Insert Operation: In this section, we show how the set activeValues is changed by insert 
operations and, then we show how to linearize insert operations. 

Lemma 54. If insert(val) returns false, there is a time during the insert(val) when val E activeValues. 

Proof: Assume insert(wa/) returns false. Let ( -, -, node, -, -, rmvd) be the result returned by the last call 
to search(t;aO just before insert(uaO returns. Since insert(wa/) returns false at line[24j keylnThe(node, val, rmvd) 



returns true at line 24 Then, node is a leaf node containing val and rmvd is false. By Lemma [43] node is logically 
in the trie at some time during search(uaO- So, val E activeValues at that time. ■ 



Let / be a Flag object created by insert(waO. By Corollary 47 there is no successful child CAS of / if insert(waO 
returns false. So, activeValues is not changed by a child CAS of /. 

Let / be a Flag object that is created during a loop iteration of insert(uaO- If a child CAS of / succeeds, by 



Lemma 46 insert(wa/) returns true at the end of the loop iteration unless it crashes. If a child CAS of / succeeds. 
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we say insert(tiaO is successful. By Lemma 30 and 32 only the first child CAS of / succeeds. In the following 



lemma, we show how the successful insert operations change activeValues. 

Lemma 55. Let I be a Flag object that is created by insert(val). Assume a child CAS of I succeeds at time T. 
Let s be the set activeValues just before T and let s' be the set activeValues just after T. Then, val (jz. s and 
s' = s U \vaV\ 

Proof: 

Let ( -, p, node, -, -, rmvd) be the result returned by the call to search(z;a/) that precedes the creation of /. 
Then, p G Fj. By Lemma |6] p.label is a prefix of val and if node is an internal node, node.label is not a prefix 
of val. Since insert(vaO does not return false at line 24 before the creation of / by Corollary 47 either node is 
not a leaf node whose label is val or rmvd is true. If node is not a leaf node whose label is val, since p is parent 
of node just before T (by Lemma |6] and 31 1 and p is reachable just before T (by Lemma 51 1, p is not an ancestor 
of a leaf node whose label is val just before T. If node is a leaf node whose label is val and rmvd is true, by 



Lemma 43 node is logically removed at some time during search(uaO, so node is logically removed just before 
T. Since p is a parent of node just before T and p is reachable just before T, no leaf node whose label is val is 
logically in the trie just before T by Invariant [t] Thus, val ^ s. 

The successful child CAS of / changes an element of I .pNode[0].child from I.oldChild[0] to I.newChild[0]. 
When / is initialized, I.pNode[0] and I.oldChild[0] are set to p and node respectively. The successful child CAS 
of I changes an element of p.child from node to FnewChild[0\ at time T. When / is initialized, I .newChild[Q\ 



is set to the new internal node created at line 121 The non-empty elements of the child field of the new internal 



node are a new copy of node and a new leaf node whose label is val. 

If node is a leaf node, since p is reachable just before T (by Lemma [ST]), just after T, node is unreachable and 
the new leaf node and the new copy of node are reachable. So, s' — s[J {val}. 

If node is an internal node, node S Fj by the pseudo-code and, by Lemma [3T| no child CAS changes node. child 



between the time when node.info is read for the last time on line 25 and T. Since the new copy of node is made 



at line 26 between the time when node.info is read for the last time on lin e [25] and T, node. child just before T 
is the same as the children of the new copy of node just after T. By Lemma [51] p is reachable just before T. Just 
after T, node is unreachable and the new leaf node and the new copy of node are reachable. Also, all children of 
node just before T are reachable just after T. So, activeValues — sU {val}, just after T. ■ 
An insert('i;aZ) returns false executes a search(wa/) that returns ( -, -, node, -, -, rmvd) where node is a leaf node 
whose label is val and rmvd is false. By the last post-condition of search, there is a time during the search when 
node is logically in the trie, so val € activeValues at that time. This is the linearization point of search(uaO and 



insert(t;aO that returns false. By Corollary 47 if insert(uaO returns false, there is no child CAS of / where / is 
created by insert(uaZ). 

If the first child CAS of / that is created by insert(uaO occurs, insert(t;aO is linearized at that child CAS of /. 



By Lemma 32 the first child CAS of / succeeds and by Lemma 30 no other child CAS of / succeeds. By Lemma 
55 val ^ activeValues just before the first child CAS of / and val is added to activeValues just after the first 



child CAS of /. By Lemma 46 if the first child CAS of / occurs, insert(waZ) returns true (unless it crashes). 

If insert(waO does not return false and the first child CAS of / that is created by insert(tiaO does not occur, no 
linearization point is assigned to insert('i;aO. 

2) Correctness of the Delete Operation: In this section, we show how the set activeValues is changed by delete 
operations and, then we show how to linearize delete operations. 

Lemma 56. If delete(val) returns false, there is a time during the delete(val) when val ^ activeValues. 

Let ( ■ 



Proof: Assume delete(waO returns false at line 37 



-, node, -, - rmvd) be the result returned 
by the last call to search(uaZ) before delete(uaO returns false. Since delete(uaO returns false at line 37 
keylnTne(nod, val , rmvd) returns false at line 37 Then, node is not a leaf node whose label is val or rmvd 



is true. By Lemma 44 there is a time during search('i;aO when there is no leaf node that has label val is logically 



in the trie. So, val ^ activeValues at that time. ■ 
Let / be a Flag object created by delete(uaO- By Corollary 47 there is no successful child CAS of /. So, 
activeValues is not changed by a child CAS of /. 
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Let / be a Flag object that is created by delete(i;aZ) during a loop iteration. If a child CAS of / on I.pNode[Q] 
succeeds, by Lemma |46] delete(t;aO returns true at the end of the loop iteration unless it crashes. If a child CAS 



of / on I .pNode[0] succeeds, we say delete(wa/) is successful. By Lemma 30 and 32 only the first child CAS of 
/ succeeds. In the following lemma, we show how the successful delete operations change activeValues. 

Lemma 57. Let I be a Flag object that is created by delete(val). Assume a child CAS of I succeeds at time T. 
Let s be the set activeValues just before T and let s' be the set activeValues just after T. Then, val G s and 
s' = s — {val} 

Proof Let {gp, p, node, -, -, rmvd) be the result returned by the call to search(t;aO that precedes the creation 
of /. Since delete(uaO does not return false at line|37]by Corollary 47 node is a leaf node whose label is val and 
rmvd is false. By Lemma 53 node is logically in the trie just before T, so val G s. 

The successful child CAS of / changes an element of I .pNode[0].child from I.oldChild[0] to I.newChild[0]. 
Now, we show that s' = s — {val}. The nodeSibling variable is set to an element of p. child at line 38 When / 
is initialized, I.pNode[0], I.oldChild[0] and I.newChildlO] are set to gp, p and nodeSibling respectively at line 



40 Let T' be the time when p.info is read for the last time during the search(waO that precedes the creation of 



I. By Lemma 31 since p e Fj, p. child is not changed between T' and T. Since p is a parent of node after T' 
during search(uaZ) (by Lemma [6|, node and nodeSibling are children of p at all times between T' and T. The 



child CAS of / changes an element of gp.child from p to nodeSibling at T. By Lemma 51 p is reachable just 
before T. So, just before T, node and nodeSibling are also reachable. By Lemma |9] no other leaf node whose 
label is val is reachable just before T. 

In this case, gp ^ Fj — Uj. By Lemma 25 and Corollary 34 gp is reachable just before T. So, just after T, p and 
node are not reachable, but gp and nodeSibling are reachable. If nodeSibling is an internal node, all elements of 
its child field that are reachable just before T are reachable just after T. Thus, s' = s — {val}. ■ 

A delete(wa/) returns false executes a search(wa/) that returns ( -, -, node, -, -, rmvd) where node is not a leaf 
node whose label is val, or rmvd is true. By Lemma 44 there is a time during the search when no leaf node 



whose label is val is logically in the trie, so val ^ activeValues at that time. This is the linearization point of 



search(wa/) and delete(tiaO that returns false. By Corollary 47 if delete(wa/) returns false, there is no child CAS 
of I where / is created by delete(i;aO. 

If the first child CAS of / that is created by delete(waO occurs, delete(uaO is linearized at that child CAS of /. 



By Lemma 32 the first child CAS of / succeeds and by Lemma 30 no other child CAS of / succeeds. By Lemma 



57 val € activeValues just before the first child CAS of / and val is removed from activeValues just after the 



first child CAS of /. By Lemma 46 if the first child CAS of / occurs, delete(waO returns true (unless it crashes). 



If delete(wa/) does not return false and the first child CAS of / that is created by delete(ua/) does not occur, no 
linearization point is assigned to delete(uaO. 

3) Correctness of the replace operation: In this section, we show how the set activeValues is changed by 
replace operations and, then we show how to linearize replace operations. 

Lemma 58. If replace(vald, vali) returns false, there is a time during replace(vald, vali) when vald ^ activeValues 
or vali G activeValues. 

Proof: Assume replace(waZ(j, vali) returns false. Then, we have two cases according to what line returns false. 

-, nodcd. 



Case 1: replace(t;aZrf, wa^i) returns false at line 46 



Let 



rmvdd) be the result returned by the 



last call to search(tia^rf) on line 45 So, keyInTrie(7io(iec;, vald, movedd) returns false at line 46 Then, nodcd is not 



a leaf node containing vald or rmvdd is true. By Lemma 44 there is a time during search(i;a^rf) when there is no 
leaf node that has label vald and is logically in the trie. So, vald 4- activeValues at that time. 

Case 2: replace(uaZd, vak) returns false at line 48 Let ( -, -, nodci, -, - rmvdi) be the result returned by the last 
call to search(i;a^i) on line 47 before replace(uaZrf, ua^i) returns false. So, key InTrie(noc?ei, wa/i, rrnudi) returns 



true. Then, nodci is a leaf node containing vali and rmvdi is false. By Lemma 43 nodci is logically in the trie 
at some time during search(i;a/i). So, vak € activeValues at that time. ■ 



Let / be a Flag object created by mp\cice(v aid, vak). By Corollary 47 there is no successful child CAS of /. 
So, activeValues is not changed by a child CAS of /. 

Let / be a Flag object that is created by replace(waZci, vak) during a loop iteration. If, for all i, a child CAS of 



/ on LpNode[i] succeeds, by Lemma 46 veplnceivakhvak) returns true at the end of the loop iteration unless it 
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crashes. If a child CAS of / on I.pNode[0] succeeds, we say replace('i;aZ£;, vak) is successful. By Lemma 30 and 
32 only the first child CAS of / on I .pNode[Q] succeeds. 

There are different cases of Teplace{vald,vali) depending on what line creates /. The general case of 
Teplace(vald,vali) is when / is created at line 55 or 57 The special cases of Teplace(vald,vali) are when / 



is created at line |59] |64] or |70] First, we show how successful replace operations that perform the general case 
change activeValues. 



Lemma 59. Let I be a Flag object that is created by replace(vald,vali) at line 55 or 57 Assume a child CAS 
of I on I .pNode[0\ succeeds at time Tq and a child CAS of I on I .pNode[l\ succeeds at time Ti. Let so be the 
set activeValues just before Tq, let Sq be the set activeValues just after Tq, let si be the set activeValues just 



vaid fc So, vali ^ sq, Sq 



So U {vak} - {vald} 



before Ti and let s'l be the set activeValues just after Ti. Then, vald G 
and s'l — si. 

Proof: Let ( -, pi, nodci, -, -, rmvdi) be the result returned by the call to search(tia^i) on line 47 that precedes 
the creation of /. When / is initialized, I .pN ode[Q\, I.oldChild[0] and I.newChild[Q] are set to pi, nodci and 



the new node that is created at line 53 The child CAS of / on I.pNode[()\ at To behaves in the same way as 



a successful child CAS of an insert(?;a^i) operation. By a similar argument to Lemma 55 only nodci becomes 
unreachable just after Tq, vali € Sq and vali ^ sq. 
Now, we show that vald G Sq. Let {gpd, Pd, noded 



-, rmvdd) be the result returned by the call to search(wa/d) 



on line 45 that precedes the creation of /. Since Kp\ac&{vald,vali) does not return false at line 46 noded is a 
leaf node whose label is vald and rmvdd is false. By Lemma 53 nodcd is logically in the trie just before To, so 
vald G Sq. Next, we show that, vald ^ Sq. 

By the pseudo-code, I.rmvLeaf is nodcd- By the definition of logically removed, nodcd is logically removed 
just after To and nodcd is not logically in the trie at any time after To. Since nodcd is reachable just before To (by 
Lemma [5T]), no other leaf node whose label is vald is reachable just before To by Lemma |9] Since the condition at 
line|F|is true, nodcd 7^ nodci. So, nodcd is reachable just after To (since I.oldChild[0] ^ nodcd)- So, no other leaf 
node whose label is vald is reachable just after To. So, sf) = sq — {vald] U {vali} (since vali ^ sq and vali G Sq). 

Now, we show si = s^ By the definition of logically removed, node is logically removed at all times after Tq. 
By Lemma 51 nodcd is reachable just before Ti. By Lemma |9] no other leaf node whose label is vald is reachable 
just before Ti. So, vald ^ si. 

Let nodeSibling be the node that is read as an element of pd-child at line |50] Since / is created at line |55] 
or 57 I .pN ode[l\, I .oldChild[l\ and I .newChild[l\ are set to gpd, Pd and nodeSibling, respectively. The child 



CAS of / on I .pN ode[\\ is the same as a successful child CAS of /' where /' is created by de\&t&{vald) at line 
40 However, by the definition of logically removed, nodcd is logically removed just after To. Since the condition 
at line|F|is true, noded 7^ nodci. So, an element of pd-child is not changed from noded to another value at Tq. 
By a similar argument to Lemma 57 only nodcd and pd become unreachable just after Ti and no other leaf node 
whose label is vald becomes reachable just after Ti. Since noded is a leaf node whose label is vald, nodcd is the 
only leaf node that becomes unreachable just after Ti and vald ^ si, si = s'^. ■ 
Next, we show how successful replace operations that perform special cases of the replace operation change 
activeValues. 



Lemma 60. Let I be a Flag object that is created by replace(vald, vali) at line 59 64 or 70 Assume a child CAS 
of I succeeds at time T. Let s be the set activeValues just before T and let s' be the set activeValues just after 
T. Then, vald € s, vali ^ s and s' = s U {vali} — {vald}- 



Proof: Let {gpd, Pd, nodcd, -, -, rmvdd) be the result returned by the call to search(t;a^d) on line 45 that 



precedes the creation of /. Since Teplace{vald,vali) did not return false at line 46 nodcd is a leaf node whose 

is logically in the trie just before T. So, vald € s. 

Pi, nodci, -, -, rmvdi) be the 



label is vald and rmvdd is false. By Lemma 53 nodcd 

Now, we show no leaf node containing vak is reachable just before T. Let 
result returned by the call to search(ua/i) on line 47 that precedes the creation of /. By Lemma |6] pi.label is a 
prefix of vali and if node-i is an internal node, nodei.label is not a prefix of vali. So, by Invariant |7] pi is the 
lowest internal node whose label is a prefix of vali that search(uaZi) visits. By Lemma |6] pi is a parent of nodei at 
some time during search(wa?i). By Lemma 31 Pi is a parent of nodci just before T. By Lemma 51 is reachable 
just before T. 
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Since replace(uaZrf, vali) did not return false at line 48 nodci is not a leaf node containing vali or rmvdi is true. 
If rmvdi is true, by Lemma 43 nodci is logically removed at some time during search(t;aZi). If nodci is a leaf 

since rmvdi is true, nodci is logically removed just before T. Since pi is a reachable 



is true, by Lemma 43 
node whose label is val 



parent of nodei just before T, pi is not an ancestor of any other leaf node containing vak just before T. If nodci 
is a leaf node and nodei.label ^ vak, since pi is a reachable parent of nodei just before T and pi.label is a prefix 
of uaZ, (by Invariant |7]), is not an ancestor of any leaf node containing vali just before T. If nodei is an internal 
node, since pi is a reachable parent of nodei just before T and nodei.label is not a prefix of t^a/i (by Lemma |6|, 
Pi is not an ancestor of any leaf node containing vali just before T. Thus, no leaf node containing vali is logically 
in the trie just before T and vali ^ s. 

The successful child CAS of / changes an element of I .pNode[0].child from I.oldChild[0] to I.newChild[0]. 
There are different special cases. We show that s' = s — {vald} U {vak} for each case. 

Case 1: / is created at line 59 Then, nodej. — nodei. When / is initialized, I.pNode[0] I.oldChild[0] and 

Since the operation does not return 
nodei is reachable just before 



I .newChild[0] are set to pd, nodei and a new leaf node whose label is vak 



at line 46 noded = nodCi is a leaf node and noded.label = vald. By Lemma 51 



T. By Lemma |9] no other leaf node containing vald is reachable just before T (since nodei — nodcd). So, pd and 
the new leaf node whose label is vak are reachable just after T and nodei — noded becomes unreachable at T. 
Since nodei = noded is a leaf node whose label is ua/di s' = s — {waZ^} U {vali}. 

Case 2: / is created at line 64 Let nodeSibling be an element of pd.child that is read at line 50 Then, new Node 
be the node that is created at line [62] Then, new Node. child are initially a new leaf node whose label is vak and 
nodeSibling. When / is created, I .pN ode[0\, I.oldChild[0] and I.newChild[0] are set to gpd, Pd and newNode. 
Since the operation does not return at line|46j noded is a leaf node whose label is vald. Then, nodeSibling is set 
to an element of pd.child that is not noded at line 50 (by Invariant |7]). So, noded and nodeSibling are children of 

— nodei just before T (by Lemma 31 1. By Lemma 51 noded is reachable just before T. Since noded is a leaf 



node containing wa/^, by Lemma|9] no other leaf node containing vald is reachable just before T. By Lemma|9] gpd 
is the only reachable parent of pd just before T and pd is the only reachable parent of noded just before T. At T, 
an element of gpd. child is changed from pd to newNode. So, just after T, p^; and nodcd become unreachable and 
newNode and a new Leaf node whose label is uaZi become reachable. Since nodeSibling is a child of newNode 
just after T, nodeSibling is reachable just after T. Thus, s' = s — {vald} U {tiaZi}. 

Case 3: / is created at line 70 Then, gpd = nodci. Let nodeSibling be an element of pd.child that is read at line 
[50] pSibling be an element of gpd that is read at line|66] Then, newChild is the new node that is created at line [67] 
and newNode is the Internal node that is created at line 69 Initially, the children of newChild are nodeSibling 
and pSibling. Initially, the children of newNode are a new Leaf node whose label is vak and newChild. When 
/ is created, I.pNode[Q\, I .oldChild[{)\ and I .newChild[0\ are set to pi, nodci and newNode. Since pi £ Fj, 
by Lemm a p5| is not marked at all times between the last time pi.info is read during search(tia^i) and T. By 
Corollary |34| pi is reachable at all times between the last time pi.info is read during search(z;a^i) and T. By 
Lemma |6] and 31 

Since 



Pi is a parent of nodci just before T. So, nodci is reachable just before T. Since gpd € Fj, the 
children of gp^ = nodci are and pSibling just before T (by Lemma 31 
nodcd and nodeSibling just before T (by Lemma 31 1 



By Lemma 51 pi, node 



<d €E Fj, the children of pd are 
gPd, Pd, pSibling, nodcd and 
nodeSibling are reachable just before T. Since nodcd is reachable just before T, no other leaf node containing 
vald is reachable just before T (by Lemma |9]l. By Lemma |9j pi is the only reachable parent of gpd — nodci just 
before T, gpd is the only reachable parent of pd and pSibling just before T and pd is the only reachable parent of 
nodcd and nodeSibling just before T. At T, an element of pi.child is changed from gpd = nodci to newNode. 
Just after T, nodci — gpd, Pd and nodcd become unreachable and newNode, newChild, a new Leaf whose label 
is vak are reachable. Since nodeSibling and pSibling are children of newNode just after T, nodeSibling and 
pSibling are reachable just after T. Since nodcd is the only reachable leaf node containing waZd just before T, 
there is no reachable leaf node containing vald just after T. Thus, s' ~ s — {vald} U {wa^i}. ■ 
A Teplace(vald, vak) returns false at line 46 executes a search(vald) that returns ( -, -, nodcd, -, -, rmvdd) 
where nodcd is not a leaf node whose label is vald, or rmvdd is true. By Lemma 44 there is a time during 
the search(tia^d) when no leaf node whose label is vald is logically in the trie, so vald ^ activeValues at that 
time. This is the linearization point of search(uaZd) and delete(waZd) that returns false at line 46 A replace(uaZd, 

nodci. 



vak) returns false at line 48 executes a search(uaZi) that returns 



rmvdi) where nodci is a 
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leaf node whose label is vali and rmvdi is false. By the last post-condition of search, there is a time during the 
search(wa/i) when nodei is logically in the trie, so vali E activeV alues at that time. This is the linearization point 
of search(uaZ(i) and delete(i;a^d) that returns false at line 48 By Corollary 47 if rt^\?ict{vald, vali) returns false, 
there is no child CAS of / where / is created by replace(wa^(i, vali). 

Let / be a Flag object that is created by replace(wa/(;, vali). If the first child CAS of / on I .pN ode[Q\ occurs, 
replace(i;aZd, vali) is linearized at that child CAS of /. By Lemma [32{ the first child CAS of / on I.pNode[{S\ 



succeeds and by Lemma 30 no other child CAS of / on I.pNode[Q\ succeeds. By Lemma 59 and roOl vald G 



activeValues and vali ^ activeValues just before the first child CAS of / on I .pNode[0\ and vald is removed 
from activeValues and vali is added to activeValues just after the first child CAS of / on I.pNode[0]. By 



Lemma 46 if the first child CAS of / on I .pNode[0] occurs, replace(waZ(j, vali) returns true (unless it crashes). If 
I is created at line 55 or 57 and the first child CAS of / on I.pNode[l] occurs, activeValues is not changed at 



the first child CAS of / on I.pNode[l] (by Lemma p9\. 

In Section [Ej we have shown that activeValues is changed correctly just after the linearization points of update 
operations. By the definition of logically in the trie, activeValues can be changed only by successful child CAS 



steps. By Lemma 30 and 32 only the first child CAS of / on each element of I.pNode succeeds. We show 



that activeValues is changed at the first child CAS of / on I .pNode[0] by Lemma 55 57 59 and 60 If / is 
created at line 55 or 57 we show that the first child CAS of / on I.pNode[l] does not change activeValues. So, 



activeValues is only changed by the child CAS of / on I .pNode[0]. Since activeValues is changed correctly. 



the find operation returns correct results at its linearization point, according to Lemma 43 and 44 



F. Progress 

By the lemmas in previous sections, each operation returns the same result as it would if the operations were done 
in the order of their linearization points. So, operations are linearized correctly. Now, we show the implementation 
is non-blocking. 

First, we show that the search operation is wait-free. 

Lemma 61. The search operation is wait-free. 

Proof: Let £ be the length of the keys in U. By Invariant |7j length of node.label increases by at least one in 
each iteration of loop. Since labels of nodes have length at most £, there are at most £ iterations. ■ 
Initially, the children of root are two leaf nodes whose labels are 00. ..0 and 11. ..1. The following lemma shows 
that two leaf nodes whose labels are 00... and 11... 1 are logically in the trie at any time. 

Lemma 62. Two leaf nodes whose labels are 00... and 11... 1 are logically in the trie at all times. 

Proof: Initially, root.child is set to two leaf nodes whose labels are 00. ..0 and 11. ..1. So, initially, 00. ..0 and 
11. ..1 are in the activeValues set. By the definition, only the successful child CAS steps change the activeValues 
set. By the precondition of update operations, if insert(waO, delete(wa/) is called, val is not equal to 00. ..0 or 11. ..1. 
By Lemma |48] |55] and |57j no child CAS of / that / is created by an insert operation or a delete operation removes 
00. ..0 or 11...1 from activeValues. By the precondition of replace operation, if replace('i;aZ, val') is called, val 



and val' are not equal to 00. ..0 or 11. ..1. By Lemma 48 59 and 60 no child CAS of / that / is created by a 
replace operation removes 00... or 11... 1 from activeValues. So, 00... and 11... 1 are in the activeValues set 
at any time. Thus, two leaf nodes whose labels are 00. ..0 and 11...1 are logically in the trie at all times. ■ 
The next lemma shows that all nodes in Fj — Uj are unreachable after a child CAS step of / on each element 
of I.pNode succeeds. 

Lemma 63. Let I be a Flag object. If the child CAS of I on each element of I.pNode is performed by time T, 
all nodes in Fi — Uj are unreachable at all times after T. 

Proof: Since the first child CAS of / on each element of I.pNode is performed by time T, a child CAS of 

59 



/ on each element of I.pNode succeeds by time T (by Lemma 32 1. If / is created at line 30 31 
or 64 every node in Fi — Uj is also in I.oldChild. So, if / is not created at line 70 by Lemma 
Ui are unreachable at all times after T. 



55 



and 



all 



nodes in Fj 

Now, we show if / is created at line 70 all nodes in Uj 

nodcd, -, 



Fj are unreachable at all times after T. Let {gpd, Pd, 



be the result returned by the call to search(i;a^rf) on line 45 that precedes the creation of / and 
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Pi, nodci, -, • 
/ is created at line 



be the result returned by the call to search(waZi) on line 47 that precedes the creation of /. Since 

Fi 



Ui = {gPd,Pd}- Since I .oldChild[0] = gpd, gpd is unreachable at all times after T 
We show that pd becomes unreachable just after the first child CAS of / (which is before 



(by Lemma 35 and 
T). 

Since pi € Fj, pi.info = / just before the first child CAS of / (by Corollary 39 1 and pi is not marked just 
before the first child CAS of /. So, pi is reachable just before the first child CAS of / (by Corollary 34 1. By 



Lemma 36 pi is a parent of nodet — gpd at some time during search(wa/i) and gpd is a parent of pd at some time 
during search(tia^rf). So, pi is a parent of nodei = gpd and gpd is a parent of pd just before the first child CAS of 
/ (by Lemma [3T]i. Thus, gpd is the only reachable parent of pd just before the first child CAS of / (by Lemma [9]l. 
Since gpd becomes unreachable just after the first child CAS of /, pd also becomes unreachable just after the first 



child CAS of /. By Lemma 37 gpd is unreachable at all times after T. 



Lemma 64. Let I be a Flag object. After some call to help(I) terminates, the info field of no reachable internal 
node is I. 

Proof Let be a call to help(/) that terminates. Now, we show that no flag CAS of / succeeds after h executes 
First, h tries to flag at least one node in Fi on line 90 (since doChildCAS is initially true). Let j > I 



line 93 



be the number of flag CAS steps that h performs. Since h attempts to flag Lflag[l\ to Lflag[j] before executing 



line 93 and only the first flag CAS of / on each node can succeed (by Lemma [16]), none of these nodes become 



flagged after h executes line 93 



If X is not the last node in I. flag, x.info 7^ / on line pTl (since x is the last node in I. flag that h tries to flag). 



Since the first flag CAS of / on a; is performed before x.info ^ I on line 91 x.info 7^ / at all times after that 



(by Lemma 16 1. So, after h executes line 93 no other call to help(J) attempt to flag any node that is in I.flag 



after x. Thus, after h executes line 93 no flag CAS of / succeeds. Now, we consider two cases according to the 
value of I.flagDone at line [99| 



Case 1: I.flagDone is false when h executes line 99 Then, h executes a backtrack CAS of / on each element 
of Fj at line 1 105 1 Let x be a node in Fj. If x.info = I when h executes line 105 x.info is changed to an Unflag 
object when h executes line 105 and x.info is never set back to / after that. If x.info 7^ / when h executes line 



105 x.info is not set to / at any time after that (since no flag CAS of / succeeds after that). So, the info field 



of no node in Fj is / after h terminates. 

Case 2: I .flagDone is true when h executes line 99 First, we show that a child CAS step of / on each element 
of I.pNode is performed before h executes line 99 If doChildCAS is true, then h performs these child CAS 
steps itself. Otherwise , h set doChildCAS to false at line 91 when the info field of node x is not / on line 91 



Since I .flagDone is true when h executes line 99 the info field of x was set to / before h executes line 99 (by 
Lemma [Tsjl. Since x.info 7^ / when h executes line 91 after h tries to set x.info to /, x.info was set to / and 

So, an unflag or backtrack CAS 



changed from / to some other value before h executes line 91 (by Lemma [16 



step of / on a; succeeded before h reads x.info at line 91 



Let h' be the call to help(/) that executes the first unflag or backtrack CAS of /. Since no unflag or backtrack 



CAS of / succeeds before h' executes line [99[ and the info fields of all nodes in Fj are set to / before h executes 

h' sets doChildCAS to true at each execution of line 91 



line 99 after h' tries to flag nodes in F/ at line 



doChildCAS is true when h' executes Une 93 



90 



Since 



h' executes a child CAS of / on each element of I.pNode at line 
98[ before it performs any unflag or backtrack CAS step of /. So, a child CAS of / on each element of I.pNode 
at Une 98 is executed before h reads x.info at line 91 By Lemma 63 all nodes in Fj — Uj are unreachable after 
h terminates. 



Since I .flagDone is true when h executes line 99 h performs unflag CAS of / on all nodes in Ui at line 101 
Let x be a node in [//. If x.info ~ I when h executes line 101 x.info is changed from / to an Unflag object 



at Une 101 and x.info is never set back to / after that (by Lemma 15 1. If x.info 7^ / when h executes line 101 



x.info is not set to / at any time after that (since no flag CAS of / succeeds after that). So, the info field of no 
node in Ui is / after h terminates. Thus, the info field of no reachable node is / after h terminates. ■ 
The following lemma show that when the update operation reads the node nodeSibling at line 38 or 50 or the 



node pSibling at line 66 the node was reachable during the update operation at some earlier time. The proof of 
the lemma is similar to the proof of Lemma [36[ and we do not present the argument here again. 
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Lemma 65. If the update operation reads nodeSibling at line 38 or 50 during a loop iteration, there is a time after 
the update operation begins the loop iteration and before the update operation reads nodeSibling that nodeSibling 
is reachable. 

Finally, we show that the implementation is non-blocking. 

Lemma 66. The implementation is non-blocking. 

Proof: We prove the lemma by contradiction. Assume the implementation is not non-blocking. So, there is an 
execution of the implementation such that, after time T, each pending operation op take infinitely many steps and 
no operation terminates. 

Assume update operations opi,op2, ■■■,opn each take infinitely many steps after time T. By Lemma 61 these 
operations are update operations. 



Each call to help terminates, by Lemma 64 the info field of no reachable node is / after a call to help(/) 
terminates. So, if / is created before T and help(/) is called after that, after the call to help(/) terminates, no other 
operation sees / in the info field of any reachable node. Now, we show that if the operation op calls help(/) during 
a loop iteration and / is created by another operation, then / was read from the info field of a node that was 
reachable during the loop iteration. 

If op calls help(/) and / is created by another operation, then help(/) is called on line 110 or 119 If help(/) 



is called at line |110[ / is read from the info field some node that the search operation returns earlier. If help(/) 
is called at line |119| inside the createNode routine, which is called at line |27] or |53] / is read from the info field 
of some node that the search operation returns earlier In either case, the node that the search operation returns 



was reachable at some time during the search operation by Lemma 36 If help(/) is called at line 1 19 inside the 



createNode routine, which is called at line 62 / is read from the info field some node that is read at line 50 By 



Lemma 65 the node was reachable at some time during the the loop iteration that help(/) is called. 

So, if some opi starts its loop iteration after the first call to help(/) returns, opi cannot call help(/) during that 
loop iteration. Since the number of Flag objects that are created before T is finite, there is a time T^. after T such 
that no operation calls help(/) if / is not created by opi, op2, op„ after T" . Let T" (> T^) be a time by which 
each running operation has started a new loop iteration after T^. Thus, after T", help(/) is only called for Info 
object / that were created by opi,op2, ...,op„. 
Claim: Some operation calls the help routine after T". 

Proof of Claim. To derive a contradiction, assume no help routine is called after T" . So, there is a time T' (> T"), 
no operation executes any line of the help routine. Since the info and child fields of nodes are only changed at 
line 90 95 98 101 or 105 inside the help routine, the info and child field of no node is changed after T'. Let 



op be an update operation that is running after T'. 

First, we show if op calls newFlag after T', newFlag does not return null. Suppose op calls newFlag at line 
30l 



31 40 55 57 59 64 



or 



70 Since no info field is changed after T', no newFlag returns null at line 113 If 



newFlag returns null at line 111 the help routine is called at line 110 just before that. So, no newFlag returns null 
after T'. 

We consider different cases according to the type of the update operation that op is. For each case, we show that 
op calls the help routine. 



Case 1: op is insert(wa/). We show if op does not call the help routine at line 32 during a loop iteration after 
T', op calls the help routine at line 119 during that loop iteration. Let ( -, p, node, -, -, rmvd) be the result 



returned by the call to search(i>aO at line pSl during the iteration. Since op does not call the help routine at line 32 



and newFlag does not return false at line B0\ or [31] createNode returns null when it is called at line 27 Suppose 
createNode(no(iei, node2, -) is called at line |27| Then, nodci is a new copy of node and node2 is a leaf node 
whose label is val. So, node.label is a prefix of val or val is a prefix of node.label. If node is an internal node, 
node.label is not a prefix of val by Lemma |6] So, node is a leaf node and node.label — val. Since op does not 
return false at line [24] rmvd is true. Since rmvd is set to true at line 
an Unflag object. Let /' be a Flag object that node.info = I' at line 



84 



84 



node.info that is read at line [84] is not 



25 Since /' is a Flag object, op calls the help routine at line 119 

Case 2: op is delete(Da/). We show that op calls the help routine at line 
Let (gp, p, node, -, -, -) be the result returned by the call to search(wa/) at line l36j during the iteration. First, we 



By Lemma 40 node.info = /' at line 
during each loop iteration after T' . 
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show gp is not null. If gp is null, the search operation exits the loop after the first loop iteration (since gp is set to 
p at line 80 during each loop iteration and after the first execution of line 81 p is an internal node by Lemma |4]l. 
Then, p — root. Since op does not return false at line 37 node is a leaf node whose label is val. If node is set to 
root.child[0] at line 82 by Lemma [62| and Invariant |7j node.label — 00. ..0. If node is set to root.child[l] at line 
[82] by Lemma 62 and Invariant [7] node.label — 1L..1. Since val ^ 00. ..0 and val ^ 11. ..1 by the precondition 



of delete(t;aO, gp is not null. Since newFlag does not return null at line 40 op calls the help routine at line 41 

Case 3: op is replace{vald, vali). Let {gpd, Pd, noded, -, -, -) be the result returned by the call to search(-yaZd) 
at line 45 during a loop iteration of op that started after T' and ( -, pi, nodei, -, -, rmvdi) be the result returned 
by the call to search(wa/i) at line 47 during the same loop iteration. The same argument as in Case 2 establishes 
that gpd is not null. Now, we consider different cases of replace(ua/d, vaU). For each case, we show that op calls 
the help routine. 

" op 



Case 3A: nodei ^ {noded, Pd, gPd} and pi ^ pd. We show if op does not call the help routine at line 71 



calls the help routine at line |1 19| Since op does not call the help routine at line |7T| and newFlag does not return 
null at line [55] or |57] neither line [55] nor [57] is executed. So, createNode returns null when it is called at line [53] 
Suppose createNode(no(iei, node2, -) is called at line [53] Then, nodei is a new copy of nodei and node2 is a 
leaf node whose label is vali. So, nodei.label is a prefix of vali or vali is a prefix of nodei.label. If nodei is an 
internal node, nodei.label is not a prefix of vali by Lemma [6| So, nodei is a leaf node and nodei.label = vali. 
Since op does not return false at line|48] rmvdi is true. Since rmvdi is set to true at line [84] nodei.info that is 



read at line 84 is not an Unflag object. Let /' be a Flag object that nodei.info = I' at line 84 By Lemma 40 



nodei.info ~ I' at line 25 Since /' is a Flag object, op calls the help routine at line 119 

Case 3B: nodei — noded. Since newFlag does not return null after T', op sets movlnfo to a Flag object at line 
59 and calls the help routine at line 71 

Case 3C: nodei noded and either nodei = Pd or pi = pd. We show if nodei = pd, Pi = gPd- By Lemma [6] 
gpd was a parent of pd = nodei at some time during search{vald) and pi was a parent of nodei = 9Pd at some 
time during search(tia^i). Since no child field is changed after T', gpd and pi are parents of pd — nodei at all 
times after T'. By Lemma 36 gpd was reachable at some time during search(uaZd) and pi was reachable at some 
time during search(i'aZj)- Since no child field is changed after T', gpd and pi are reachable at all times after T' . 
So, by Lemma [9] pi — gpd. 

Since either nodci — pd and pi = gpd or pi = pd (and gpd is not null), createNode is called at line [62] If 
createNode does not return null, op calls the help routine at line 71 since newFlag does not return null at line [64[ 
Now, we show if createNode returns null, the help routine is called at line 119 Let nodeSiblingd be the child of 
Pd that is read at line 50 Suppose createNode(noc?ei, node2, -) is called at line 62 Then, nodci is nodeSiblingd 
and node2 is a leaf node whose label is vali. So, nodeSiblingd.label is a prefix of vali or vak is a prefix of 
nodeSiblingd.label. By Lemma [6] pd.child[i] — nodcd for some i at some time during search(wa/d)- 

If nodci — Pd, since nodci is an internal node (by Lemma [4]i, nodei.label is not a prefix of vak (by Lemma 
[6]l. Since pd-label is a prefix of nodeSiblingd (by Invariant [7]), nodeSiblingd.label is not a prefix of vali. Thus, 
createNode does not return null. 

If Pi — Pd, since nodci ^ nodcd and no child field is changed after T', nodci and nodcd are children 
of Pi — Pd at all times after T'. Since nodeSiblingd is also a child of pd at all times after T' and 
nodeSiblingd.label ^ nodcd-label (by Invariant [7]l, nodeSiblingd = nodci. If nodeSiblingd is an internal node, 
since nodeSiblingd — nodci, nodeSiblingd.label is not a prefix of vak (by Lemma|6]l. Then, createNode does not 
return null. If nodeSiblingd is a leaf node and nodei.label ^ vak, createNode does not return null. If nodeSiblingd 
is a leaf node and nodei.label = vak, since op does not return false at line [48] rm vdi is true. Since rmvdi is 
set to true at line 84 nodei.info is not an Unflag object when it is read at line [84[ . Let /' be a Flag object that 
nodei.info = I' at line 84 By Lemma 40 since nodci = nodeSiblingd, nodeSiblingd -info ~ I' at line 62 



Since /' is a Flag object, op calls the help routine at line 119 



Case 3D: Otherwise. First, we show that the condition at line [65] is true and nodci = gpd. Since the condition 
at line is not true and , nodci is nodcd, Pd or gpd. Since the conditions at line [58] and [60[ are not true, then 
nodci 7^ nodcd and nodci ^ pd. So, nodci = gpd and the condition at line [65] is true. Let nodeSiblingd be the 
child of Pd that is read at line [50[ and pSiblingd be the child of gpd that is read at line [66[ First, we show that 
createNode(nocieS'iWm(7d, pSiblingd, -) that is called at line[67]does not return null. By Lemma[6] gpd.child[i] — pd 
at some time during search(ua/c;) for some i. By Invariant[7] {gpd.label)-i is a prefix of pd-label. Since nodeSiblingd 



38 



was a child of at line|50j (gpd-label) -i is a prefix of nodeSiblingd-label (by Invariant [7]l. By Lemma|6] pd-label 
is a prefix of vald- So, {gpd-label) • i is a prefix of vald- Since pSiblingd-label is read as a child of gpd at line 66 
(gpd-label) ■ i is not a prefix of pSiblingd-label (by Invariant |7]l. So, cmnteNodeinodeSiblingd, pSiblingd, -) that 
is called at line |67] does not return null. 

Since createNode that is called at line |67] does not return null, createNode is also called at line |69] Since 
gPd — nodci, nodci is an internal node by Lemma |4] and gpd-label is not a prefix of vali (by Lemma |6]l. Since 
gpd-child[i] = pd at some time during search(i;a/d) and pd is a parent of nodeSiblingd at line 50 gpd-label is 
a prefix of nodeSiblingd (by Invariant |7]i. Since gpd is a parent of pSiblingd at line 66 gpd-label is a prefix of 
pSiblingd (by Invariant |7]i. Let newChildi be the internal node that is created at line 67 Since the children of 
newChildi are initially nodeSiblingd and pSiblingd, gpd-label is a prefix of newChildi. label (by Invariant |7|. 
Since gpd-label is not a prefix of vali, newChildi.label is not a prefix of vali. So, createNode does not return 
null when it is called at line|69] Since the createNode routines that are called at line |67] and |69] do not return null, 
op calls the newFlag routine at line 70 Since newFlag does not return null after T', op calls the help routine at 
line 71 This complete the proof of the claim. 

Thus, after T', some running operation calls the help routine. Let / be a Flag object that is created by some opi 
where 1 < i < n. After opi creates /, it calls help(/) at line 

or 



32 41 or 71 Any other operation that visits any node 



whose info field is / might also call help(/) at line 110 



119 So, there is a group of calls to help(/) after T'. 



If a child CAS step of / is executed, the operation that created / returns true (by Lemma 46 1. Since / is created 
by one of opi, op2, opn and opi,op2, op„ do not return after T', no call to help(/) executes a child CAS of 
/ after T'. 

So, no call to help(/) sets I.flagDone to true at line 94 Thus, all calls to help(/) set doChildCAS to false at 
line 91 so the info field of some node in Fi was not / at line 91 Let node be the first such node that causes any 
call to help(/) to set doChildCAS to false. We say that a group of calls to help(/) blames node. 

Since no child CAS is performed after T' , the set of nodes logically in the trie does not change. Let node,n be 
the node in the trie whose label is the greatest among the labels of nodes that are blamed in this way, according to 
the total ordering that is used to sort on line |1 15| Let I„i be a Flag object such that the group of calls to help(/,„) 
blames node^. 

First, we show that nodem.info is not set to /,„ by any flag CAS of /,„. Consider the first time that a call to 
help(/„j) sets doChildCAS to false because nodem.info ^ Im on line 91 at time T,„. Since nodem is the first 
node that a call to help(/m) did not set nodem-info to /,„, nodem.info is not set to Im before T„j. Since the 
first Flag CAS of on nodem occurs before Tm, no flag CAS of /,„ changes nodem.info to after Tm (by 
Lemma [T6|. 

If the old value of nodem-info that is passed to the newFlag routine is not an Unflag object, the newFlag returns 
null at line 1 1 1 1 1 Since Im is created inside the newFlag routine, the old value of nodem-info that is passed to 
the newFlag routine that created Im was an Unflag object. Since no call to help(/m) flags nodem successfully, 
nodem-info is changed from the Unflag object before any flag CAS of /,„ on nodem- By Lemma 12 nodem-info 
is set to a Flag object Ij ^ Im before any flag CAS of /,„ on nodem- Let gj be the group of calls to help(/j). One 
such call changes nodem-info to Ij. Let nodcj be the node that gj blames. Then, nodej.label < nodem.label by 



definition of nodem. (Since the newFlag routine keeps only one copy of duplicates in Ij.flagNode at line 114 
nodej.label ^ nodem-label.) However, nodem appears earlier in I j. flag array than nodej, contradicting the fact 
that nodes in Ij.flag are flagged in order of their labels and nodej.info must set to Ij before nodem-info is set 
to Ij (by Lemma 17 1. 

Therefore, no operation takes infinitely many steps after T and the implementation is non-blocking. ■ 
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